b'\x0cOffice of the Inspector General\nSemiannual Report to Congress\n                                                                   APRIL 1, 2012\xe2\x80\x93SEPTEMBER 30, 2012\n\n\n\n\n       T\n                 he mission of the Office of Inspector General (OIG) is to promote the integrity, efficiency, and\n                 effectiveness of the critical programs and operations of the United States (U.S.) Securities and\n                 Exchange Commission (SEC or Commission). This mission is best achieved by having an effec-\n       tive, vigorous, and independent office of seasoned and talented professionals who perform the following\n       functions:\n\n       \xe2\x80\xa2\t   Conducting independent and objective audits, evaluations, investigations, and other reviews\n            of SEC programs and operations;\n       \xe2\x80\xa2\t   Preventing and detecting fraud, waste, abuse, and mismanagement in SEC programs and\n            operations;\n       \xe2\x80\xa2\t   Identifying vulnerabilities in SEC systems and operations and recommending constructive\n            solutions;\n       \xe2\x80\xa2\t   Offering expert assistance to improve SEC programs and operations;\n       \xe2\x80\xa2\t   Communicating timely and useful information that facilitates management decision making\n            and the achievement of measurable gains; and\n       \xe2\x80\xa2\t   Keeping the Commission and Congress fully and currently informed of significant issues and\n            developments.\n\n\n\n\n                                                         APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                       |   i\n\x0c\x0ccontentS\n\n\n\n\n    Message from the interim Inspector General .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 1\n\n\n    Management and Administration.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 5\n    Agency Overview.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 5\n    OIG Staffing .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 5\n\n\n    Congressional TESTIMONY, Requests, and Briefings .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 7\n\n\n    The Inspector General\xe2\x80\x99s Statement on the SEC\xe2\x80\x99s Management and\n    Performance Challenges. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .9\n    Procurement and Contracting .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 9\n    Information Security .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 10\n    Continuity of Operations Program.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  11\n    Financial Management .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  12\n\n\n    Advice and Assistance Provided to the Agency.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  13\n\n\n    Coordination with Other Offices of Inspector General .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  15\n\n\n    Audits and Evaluations .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 17\n    Overview .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  17\n    \tAudits.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  17\n    \tEvaluations.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  17\n    \t   Audit Follow-Up and Resolution .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 18\n    Audits and Evaluations Conducted.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  18\n    \t   Review of the SEC\xe2\x80\x99s Continuity of Operations Program (Report No. 502) .  .  .  .  .  .  .  .  18\n    \t   SEC\xe2\x80\x99s Records Management Practices (Report No. 505) .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  19\n    \t   The Office of International Affairs Internal Operations and\n    \t\t      Travel Oversight (Report No. 508).  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  22\n    Pending Audits and Evaluations.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 23\n    \t   SEC\xe2\x80\x99s Whistleblower Program.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  23\n    \t   Support, Expert, and Consulting Services Contracts at the SEC .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 24\n    \t   Evaluation of the SEC\xe2\x80\x99s Systems Certification and Accreditation Process .  .  .  .  .  .  .  .  .  . 24\n    \t   Hiring Practices for Senior Level Positions at the SEC .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  24\n\n\n\n\n                                                                      APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                                         |   iii\n\x0c\t Filing Fee Refund Requests .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 25\n\t The SEC\xe2\x80\x99s Controls Over Sensitive and Proprietary Information Collected and\n\t\t     Exchanged With the Financial Stability Oversight Council.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  25\n\t Fiscal Year 2012 Federal Information Security Management Act (FISMA)\n\t\tAssessment.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  26\n\n\nInvestigations.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  27\nOverview.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 27\nInvestigations and Inquiries Conducted .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 28\n\t   Investigation Into Misuse of Resources and Violations of Information\n\t\t       Technology Security Policies Within the Division of Trading and\n\t\t       Markets (Report No. OIG-557) .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 28\n\t   Physical Altercation and Security Violations by a Division of Enforcement\n\t\t       Contractor (Report No. OIG-572) .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  30\n\t   Fraud, Falsification, and Misuse of Computer Resources by\n\t\t       Headquarters Employees (Report No. OIG-563) .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 31\n\t   Unauthorized Disclosure of Nonpublic Information Concerning an\n\t\t       Enforcement Matter (Report No. OIG-575) .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  32\n\t   Allegations of Theft and/or Improper Handling of SEC Blackberries\n\t\t       (Report No. OIG-566) .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  33\n\t   Allegation of Leak of Draft Interagency Rule (PI 12-01) .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 33\n\t   Allegations of Misuse of Official Time and Violation of Time and\n\t\t       Attendance Rules (PI 12-16) .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 34\n\n\nReview of Legislation and Regulations .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  35\n\n\nMANAGEMENT DECISIONS .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  37\nStatus of Recommendations with No Management Decisions.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  37\nRevised Management Decisions .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 37\nAgreement with Significant Management Decisions .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  37\nInstances Where Information was Refused.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  37\n\n\nTABLES\t .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  39\nTable 1 \tList of Reports: Audits and Evaluations.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  39\nTable 2 \tReports Issued with Costs Questioned or Funds Put to\n              Better Use (Including Disallowed Costs) .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  39\nTable 3 \tReports with Recommendations on Which Corrective Action\n              Has Not Been Completed.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  40\nTable 4 \tSummary of Investigative Activity.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  45\n\n\n\n\niv   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cTable 5 \tSummary of Complaint Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46\nTable 6 \tReferences to Reporting Requirements of the\n             Inspector General Act.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  47\n\n\nAPPENDIx A. peer reviews of OIG operations.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  49\nPeer Review of the SEC OIG\xe2\x80\x99s Audit Operations .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 49\nPeer Review of the SEC OIG\xe2\x80\x99s Investigative Operations.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  49\n\n\nAppendix B. ANNUAL REPORT ON THE OIG SEC EMPLOYEE SUGGESTION HOTLINE\xe2\x80\x94\nISSUED PURSUANT TO SECTION 966 OF THE DODD-FRANK ACT .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 50\nIntroduction and Background .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  50\nSummary of Employee Suggestions and Allegations Received.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  50\nExamples of Suggestions Received.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 51\n\t    EDGAR Electronic Refund Requests .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 51\n\t    Hard Copy CCHs.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 52\n\t    Employee Directories.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  52\n\t    Paper and Supply Waste .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  52\nExamples of Allegations Received .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 53\n\t    Replacement of Physical Security Systems in Regional Offices .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  53\n\t    Referrals to the Office of Investigations .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  53\nConclusion \t.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  54\n\n\n\n\n                                                                   APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                                         |   v\n\x0c\x0cMessage from the Interim Inspector General\n\n\nI\n     am pleased to present this Semiannual Report to Congress as Interim Inspector\n     General of the U.S. Securities and Exchange Commission (SEC or Commission).\n     This report describes the work of the SEC Office of Inspector General (OIG) for\nthe period from April 1, 2012, to September 30, 2012. I am concurrently serving as\nthe Inspector General of the Federal Deposit Insurance Corporation. On May 30,\n2012, I was designated Interim Inspector General of the SEC until such time as the\nCommission hires a permanent Inspector General.\n\nThe audits, reviews, and investigations described       At my request, in early June 2012, the United States\nin this report illustrate the commitment of the SEC     Postal Service (USPS) OIG commenced a com-\nOIG to promoting the efficiency and effectiveness       prehensive and independent investigation into the\nof the SEC, as well as the impact the Office has had    allegations of misconduct by current and former\non SEC programs and operations.                         SEC OIG management. In late September 2012, the\n                                                        USPS OIG completed its investigation and issued\nAt the time of my designation as Interim Inspector      a report. I am now reviewing the evidence in the\nGeneral, the SEC OIG faced a number of challeng-        report to determine the disposition of the three\nes, including those presented by a complaint alleging   reports issued, or to be issued, by the SEC OIG. I\nmisconduct by current and former SEC OIG man-           expect to complete my review by November 2012.\nagement. This complaint, which had been reported\nin the press, called into question the integrity of     The SEC OIG still faces significant challenges,\nthree reports issued by or to be issued by the SEC      including those presented by depleted staffing levels.\nOIG. Almost immediately upon my designation             Several key staff members departed during the\nas Interim Inspector General, I coordinated with        reporting period, including the Deputy Inspector\nthe Council of the Inspectors General on Integrity      General and a senior auditor. We will be working\nand Efficiency (CIGIE) to identify another OIG to       closely with the SEC\xe2\x80\x99s Office of Human Resources\nindependently investigate the allegations involving     to fill these and other critical positions as quickly as\nthe SEC OIG.                                            possible.\n\n\n\n                                                        APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                    |   1\n\x0cAdditionally, since my designation as the SEC           The Office of Audits also issued a report on the\nInterim Inspector General, I have reviewed the          SEC\xe2\x80\x99s Office of International Affairs (OIA) internal\nOffice\xe2\x80\x99s organizational structure and operational       operations and travel oversight. This report found\nprocesses and have begun to implement certain           that OIA\xe2\x80\x99s operational units had effective policies,\nchanges and improvements. For example, under            procedures, and controls, but that improvements\nmy direction, the Office of Audits has reorganized      were needed to strengthen OIA\xe2\x80\x99s oversight of\nto add two supervisory auditor positions and plans      international travel by SEC staff. Further, during\nto move towards a team approach to auditing. I          the reporting period, the Office of Audits worked\nhave also undertaken measures designed to improve       closely with SEC management to close 69 recom-\ncommunications and coordination between the             mendations arising out of OIG reports.\nOffice of Audits and Office of Investigations. For\nexample, we arranged to have the CIGIE Training         The SEC OIG\xe2\x80\x99s Office of Investigations completed\nInstitute conduct an audit overview training session    numerous investigations and inquiries during the\nfor the SEC OIG\xe2\x80\x99s investigators. Additionally, I have   reporting period and issued seven reports of inves-\nsought to develop a more unified and coordinated        tigation or inquiry. Specifically, we issued reports\napproach to guide and foster the SEC OIG\xe2\x80\x99s rela-        related to the misuse of resources and violations of\ntionship with Congress. To that end, I designated       information technology security policies within the\nan OIG attorney to serve as the SEC OIG\xe2\x80\x99s primary       Division of Trading and Markets, security viola-\nlegislative contact and be responsible for track-       tions by a Division of Enforcement contractor, and\ning legislative developments and coordinating the       falsification and misuse of computer resources by a\nOffice\xe2\x80\x99s responses to Congressional requests.           Headquarters employee. We also issued reports con-\n                                                        cerning the unauthorized disclosure of nonpublic\nNotwithstanding the challenges faced by the SEC         information relating to an SEC enforcement matter\nOIG during this semiannual reporting period,            and draft regulations being promulgated by the SEC\nthe SEC OIG staff has remained committed to             and other federal financial regulatory agencies pur-\nachieving the Office\xe2\x80\x99s mission and promoting the        suant to the Dodd-Frank Wall Street Reform and\nefficiency and effectiveness of the SEC\xe2\x80\x99s programs      Consumer Protection Act (Dodd-Frank Act). Our\nand operations. During this reporting period, the       investigative reports resulted in three referrals to the\nOffice of Audits issued reports on agency operations    agency for consideration of appropriate administra-\nrelated to the SEC\xe2\x80\x99s continuity of operations pro-      tive action based on the OIG\xe2\x80\x99s findings, two refer-\ngram (COOP) and records management practices.           rals to the OIG\xe2\x80\x99s Office of Audits for consideration\nThese reports found that while the agency had           of audit follow-up work, and several specific recom-\ntaken steps to enhance both its COOP and records        mendations for improvement in agency policies and\nmanagement programs, significant improvements           procedures.\nwere still needed in these areas. For example, our\nCOOP report made a total of 38 recommendations          Also during the past year, the SEC OIG has contin-\ndesigned to strengthen the SEC\xe2\x80\x99s COOP and ensure        ued to operate the OIG SEC Employee Suggestion\nthat the SEC can continue to perform its critical       Program, which was initiated in September 2010\nmission functions during an emergency, and SEC          under the Dodd-Frank Act. This program continued\nmanagement concurred with all of these recommen-        to be active and effective during fiscal year 2012,\ndations. Based upon our report, we have identified      as indicated in our annual report on this program,\nCOOP as a management challenge facing the SEC.          which is included at Appendix B. During the past\n\n\n\n\n2   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cyear, we received and reviewed a total of 53 sugges-      the Commission and Congress, and I reaffirm the\ntions and allegations, with several suggestions lead-     SEC OIG\xe2\x80\x99s commitment to the Commission and\ning to tangible improvements in the SEC\xe2\x80\x99s programs        Congress as we carry out the OIG mission.\nand operations and, in some instances, cost savings.\n                                                          I appreciate the significant support the Office has\nIn closing, we will continue to strive to improve the     received from Congress, the SEC Chairman and\nefficiency and effectiveness of the SEC OIG through       Commissioners, and the SEC\xe2\x80\x99s management team\norganizational and procedural changes and by              and employees, as well as the inspector general com-\ngrowing our staff resources. We will also continue        munity. I also wish to acknowledge the service and\nto work collaboratively with SEC management to            leadership provided by the former Deputy Inspector\nassist the agency in addressing the challenges it faces   General. Finally, I would like to express my grati-\nas identified in this report, which include procure-      tude to all the SEC OIG staff, who have continued\nment and contracting, information security, COOP,         to demonstrate their dedication and commitment to\nand financial management. This report truly reflects      the work and mission of the SEC OIG during this\nour dual responsibility to report independently to        period of transition for the Office.\n\n\n\n\n                                                                       Jon T. Rymer\n                                                                       Interim Inspector General\n\n\n\n\n                                                          APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                |   3\n\x0c\x0cManagement and Administration\nAGENCY OVERVIEW                                           making Board (MSRB), and the Securities Inves-\n\n\n\nT\n         he SEC\xe2\x80\x99s mission is to protect investors;        tor Protection Corporation (SIPC). While about\n         maintain fair, orderly, and efficient markets;   2,000 smaller investment advisers transitioned to\n         and facilitate capital formation. The SEC        state regulation under the Dodd-Frank Wall Street\nstrives to promote a market environment that is           Reform and Consumer Protection Act (Dodd-Frank\nworthy of the public\xe2\x80\x99s trust and characterized by         Act), the SEC is gained responsibility for directly\ntransparency and integrity. The SEC\xe2\x80\x99s core values         overseeing approximately 1,500 larger private fund\nconsist of integrity, accountability, effectiveness,      advisers, including hedge funds.\nteamwork, fairness, and commitment to excellence.\nThe SEC\xe2\x80\x99s goals are to foster and enforce compli-         In order to accomplish its mission most effectively\nance with the federal securities laws; establish an       and efficiently, the SEC is organized into 5 main\neffective regulatory environment; facilitate access to    divisions (Corporation Finance; Enforcement;\nthe information investors need to make informed           Investment Management; Trading and Markets; and\ninvestment decisions; and enhance the Commis-             Risk, Strategy, and Financial Innovation) and 20\nsion\xe2\x80\x99s performance through effective alignment and        functional offices. The Commission\xe2\x80\x99s headquarters\nmanagement of human resources, information, and           is in Washington, D.C., and there are 11 regional\nfinancial capital.                                        offices located throughout the country. As of Sep-\n                                                          tember 30, 2012, the SEC employed 3,792 full-time\nSEC staff monitor and regulate a securities industry      equivalents (FTEs), consisting of 3,752 permanent\ncomprising more than 35,000 registrants, includ-          and 40 temporary FTEs.\ning approximately 9,500 public companies, 11,800\ninvestment advisers, about 4,200 mutual funds, and\nabout 5,400 broker-dealers, as well as national secu-     OIG STAFFING\nrities exchanges and self-regulatory organizations,       On May 30, 2012, the Commission named an\n450 transfer agents, 16 national securities exchang-      interim inspector general to serve while a search for\nes, 8 clearing agencies, and 9 credit rating agencies.    a permanent inspector general is completed.\nAdditionally, the agency has oversight responsibil-\nity for the Public Company Accounting Oversight           During the semiannual reporting period, the deputy\nBoard (PCAOB), the Financial Industry Regulatory          inspector general, the writer-editor, an auditor, and\nAuthority (FINRA), the Municipal Securities Rule-         a contract paralegal departed the OIG to pursue\n\n\n\n\n                                                          APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                  |     5\n\x0cother opportunities. The OIG bids farewell to these     in-charge positions and add a new junior auditor\ndedicated staff members.                                position. The OIG plans to fill these important posi-\n                                                        tions during the next reporting period. In addition,\nAlso during the reporting period, the OIG restruc-      the OIG appointed a current OIG staff attorney as\ntured its Office of Audits to create two new auditor-   Congressional and Public Affairs Counsel.\n\n\n\n\n6   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cCongressional Testimony, Requests, and Briefings\n\n\nD\n         uring this semiannual reporting period, the     the SEC had taken steps to implement the report\xe2\x80\x99s\n         OIG continued to keep Congress fully and        recommendations.\n         currently informed of the OIG\xe2\x80\x99s investiga-\ntions, audits, and other activities through testimony,   Subsequently, on July 24, 2012, the Interim Inspec-\nwritten reports, meetings, and telephonic communi-       tor General received a request from the Commit-\ncations.                                                 tee on Oversight and Government Reform for the\n                                                         OIG to perform additional work with respect to\nOn April 17, 2012, the former Inspector General          the cost-benefit analyses associated with certain\ntestified before the TARP, Financial Services, and       SEC rulemakings. Specifically, the request noted\nBailouts of Public and Private Programs Subcom-          that on March 16, 2012, the SEC had circulated\nmittee of the U.S. House of Representatives Com-         a memorandum entitled, \xe2\x80\x9cCurrent Guidance on\nmittee on Oversight and Government Reform                Economic Analysis in SEC Rulemakings\xe2\x80\x9d (Current\nconcerning the cost-benefit analyses performed by        Guidance), and that SEC Chairman Mary Schapiro\nthe SEC in connection with rulemakings under the         had assured the Subcommittee on TARP, Financial\nDodd-Frank Act. The primary focus of the former          Services, and Bailouts of Public and Private Pro-\nInspector General\xe2\x80\x99s testimony was a report the           grams that the Current Guidance would govern all\nOIG had issued during the previous semiannual            agency rulemaking. The Committee on Oversight\nreporting period concerning the OIG\xe2\x80\x99s \xe2\x80\x9cFollow-up         and Government Reform requested that the OIG\nReview of Cost-Benefit Analyses in Selected Dodd-        evaluate the implementation of the Current Guid-\nFrank Act Rulemakings.\xe2\x80\x9d  This report, as well as         ance in newly-proposed and final Commission rules,\nan earlier OIG report on the topic, was prepared in      as well as the degree to which the principles and\nresponse to a request from several members of the        policies of the Current Guidance are incorporated\nU.S. Senate Committee on Banking, Housing, and           into the economic analyses of rulemakings of the\nUrban Affairs. In his testimony, the former Inspector    self-regulatory organizations (SRO) under the SEC\xe2\x80\x99s\nGeneral summarized the findings and conclusions          jurisdiction. The Committee also welcomed the\nreached during the OIG\xe2\x80\x99s review. In addition, the        OIG\xe2\x80\x99s recommendations for further improvements\nformer Inspector General described the six recom-        to the cost-benefit analyses associated with SEC and\nmendations made in the report for improvements to        SRO rulemakings. On August 2, 2012, the Interim\nthe SEC\xe2\x80\x99s practices relating to cost-benefit analyses.   Inspector General responded to the Committee\xe2\x80\x99s\nFinally, the former Inspector General noted that         request and stated that the OIG had commenced the\n\n\n\n\n                                                         APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                |   7\n\x0cprocess to retain a contractor to conduct a review of   the Chairman of the U.S. House of Representatives\nthe SEC\xe2\x80\x99s implementation of the Current Guidance        Committee on Oversight and Government Reform,\nand its incorporation into SRO rulemaking.              which requested responses to three questions relat-\n                                                        ing to the specific methods used by the SEC OIG\nThe OIG also responded to several other Congres-        to communicate with Congress. In response to the\nsional requests during the reporting period. For        Chairman\xe2\x80\x99s questions, the Interim Inspector General\nexample, on July 11, 2012, the Interim Inspector        stated that he was not aware of any \xe2\x80\x9cseven-day let-\nGeneral responded to a June 27, 2012, request           ters\xe2\x80\x9d issued by the SEC OIG under Section 5(d) of\nfrom U.S. Senators Richard G. Lugar and Benjamin        the Inspector General Act, which requires an Inspec-\nL. Cardin. The Senators had requested that the          tor General to report particularly serious or flagrant\nOIG evaluate the status of the SEC\xe2\x80\x99s implemen-          problems to Congress through the agency head.\ntation of the Cardin-Lugar Amendment, which             The Interim Inspector General further informed the\nwas included as Section 1504 of the Dodd-Frank          Chairman that he was not aware of any serious or\nAct and required reporting of payments made to          flagrant problems at the SEC that were not reported\ngovernments for the extraction of oil, natural gas,     to Congress. The Interim Inspector General also\nand minerals by companies that must file disclo-        emphasized the importance he places on maintain-\nsures with the SEC. The Interim Inspector General       ing an active dialogue with Congress and described\ninformed the Senators that the OIG had confirmed        in detail the various methods used by the SEC OIG\nthat the Commission was scheduled to vote on a          to communicate with Congress in a timely, com-\nfinal rule implementing Section 1504 on August 22,      plete, and high-quality manner. Finally, the Interim\n2012. Thereafter, the Commission adopted the rules      Inspector General described measures he had\nmandated by Section 1504.                               undertaken since his May 30, 2012 appointment,\n                                                        to develop a unified and coordinated approach to\nIn addition, on July 20, 2012, the Interim Inspec-      guide and foster the SEC OIG\xe2\x80\x99s relationship with\ntor General responded to a July 16, 2012, request       Congress.\nfrom the Chairman of the Subcommittee on Energy\nand Environment of the U.S. House of Representa-        In addition to providing responses to the requests\ntives Committee on Science, Space, and Technology       discussed above, the Interim Inspector General\nthat the OIG conduct an inquiry into the SEC\xe2\x80\x99s          briefed various Congressional committee and\ncommunications with the Department of Energy            subcommittee staff. Shortly after his appointment,\n(DOE) regarding a DOE grantee. In his response,         the Interim Inspector General met separately with\nthe Interim Inspector General apprised the Subcom-      staff of the U.S. Senate Committee on the Judiciary\nmittee Chairman of pertinent communications of          and the U.S. House of Representatives Committee\nwhich the OIG was aware.                                on Oversight and Government Reform to discuss\n                                                        a number of issues relating to the SEC OIG and its\nThe Interim Inspector General also responded on         oversight work.\nAugust 24, 2012, to an August 3, 2012, letter from\n\n\n\n\n8   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cThe Inspector General\xe2\x80\x99s Statement on the\nSEC\xe2\x80\x99s Management and Performance Challenges\n\n\nT\n         he Reports Consolidation Act of 2000           personal services contract. On March 29, 2012,\n         requires the SEC OIG to identify and report    OIG issued a report of investigation into an allega-\n         annually on the most serious management        tion that the SEC had entered into an improper\nchallenges the SEC faces. To identify management        personal services contract. The investigation found\nchallenges we routinely review past and ongoing         evidence that an SEC contract may have been\naudit, investigation, and evaluation work to identify   improperly administered because some contract\nmaterial weaknesses, significant deficiencies, and      personnel were subject to the continuous supervi-\nvulnerabilities. This statement has been compiled       sion and control of SEC employees.\nbased on the work we have completed over the past\nyear, our general knowledge of the SEC\xe2\x80\x99s opera-         According to the Federal Acquisition Regulation\ntions, and feedback we received from the agency         (FAR), a personal services contract is character-\nand the Government Accountability Office\xe2\x80\x99s (GAO)        ized by the employer-employee relationship that\nfinancial statement auditors.                           is created between the Government and the con-\n                                                        tractor\xe2\x80\x99s personnel. The Government is normally\n                                                        required to obtain its employees by direct hire under\nPROCUREMENT AND CONTRACTING                             competitive appointment or other procedures that\nSince fiscal year 2008, OIG has identified the SEC\xe2\x80\x99s    are required by the civil service laws. Obtaining\nprocurement and contracting function as a man-          personal services by contract, rather than by direct\nagement challenge. While we are pleased at the          hire, circumvents these laws, absent specific Con-\ncontinued progress and improvements the Office          gressional authorization.1\nof Acquisitions (OA) has made in this area, over-\nall, procurement and contracting continues to be a      OIG\xe2\x80\x99s investigation recommended the agency\nmanagement challenge.                                   obtain an opinion from the Comptroller General on\n                                                        whether the SEC was employing unauthorized per-\nSpecifically, work conducted by OIG\xe2\x80\x99s Office of         sonal services. However, we subsequently advised\nInvestigations during the fiscal year, revealed there   SEC management that issuing a new regulation on\nwere deficiencies in the SEC\xe2\x80\x99s administration of a      personal services contracts would be a sufficient\n\n1   FAR \xc2\xa7 37.104(a).\n\n\n\n\n                                                        APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                 |   9\n\x0cresponse to the investigation\xe2\x80\x99s findings and a Comp-      management challenge for the SEC due to repeat\ntroller General\xe2\x80\x99s opinion would not be needed.            findings for the current and past fiscal years that\nWhile OA continues to make improvements in the            have not been addressed. When taken as a whole,\nprocurement and contracting area, further progress        the combination of these deficiencies result in a\nis needed to ensure the SEC complies fully with           management challenge that must be addressed to\nthe FAR provisions relating to personal services          ensure the SEC\xe2\x80\x99s full compliance with all FISMA\ncontracts.                                                requirements and the SEC\xe2\x80\x99s information technology\n                                                          (IT) framework is secured.    \n\nINFORMATION SECURITY                                      Specifically, in the 2011 Annual FISMA Executive\nThough the Office of Information Technology (OIT)         Summary Report, Report No. 501, issued February\nmade significant improvements during the fiscal           2, 2012, we concluded SEC risk management policy\nyear, information security continues to be a man-         did not adhere to the requirements for a compre-\nagement challenge for the SEC. This was further           hensive governance structure and organization-wide\nconfirmed in the vulnerabilities that were identified     risk management strategy, and OIT\xe2\x80\x99s risk manage-\nin the system and network logs in the OIG\xe2\x80\x99s Assess-       ment did not address risk from a mission and busi-\nment of SEC Systems and Network Logs, Report              ness perspective as described in National Institute\nNo. 500, issued March 16, 2012, and based on new          of Standards and Technology (NIST) SP 800-37,\nweaknesses covering information security controls         Rev 1, Guide for Applying the Risk Management\nthat GAO identified in its fiscal year 2011 audit of      Framework to Federal Information Systems: A\nthe SEC\xe2\x80\x99s financial statements report.                    Security Life Cycle Approach, February 2010.\n\nIn Assessment of SEC Systems and Network Logs,            Secondly, the SEC has not fully implemented base-\nReport No. 500, the OIG determined OIT should             line configurations and configuration compliance\nidentify capacity requirements for all servers, ensure    scanning within the information system environ-\nsufficient capacity is available for the storage of       ment. Baseline configurations have not been defined\naudit records, configure auditing to reduce the likeli-   and configuration scanning is not conducted for\nhood that capacity will be exceeded, and implement        networking devices. Without baseline or compli-\na mechanism to alert and notify appropriate offices       ance scanning for networking devices, settings\nand divisions when log storage capacity is reached.       could be altered without the network administra-\n                                                          tor\xe2\x80\x99s knowledge. As a result, improperly configured\nThe report also found many SEC servers did not log        devices could present an increased security risk to\nauditable events because their logging capacity had       the SEC\xe2\x80\x99s systems.\nbeen exceeded. Further, the report found that there\nwas no mechanism available to alert OIT\xe2\x80\x99s Servers         In the 2011 Annual FISMA Executive Summary\nand Storage Branch or OIT\xe2\x80\x99s Security Branch when          Report, OIT concurred with the OIG\xe2\x80\x99s recommen-\nservers reached their capacity and stopped perform-       dation that the office complete its implementation\ning logging functions. Most notably, the report           of the technical solution for linking multi-factor\nrevealed that decommissioned servers were still           authentication to Personal Identity Verification\nactively connected to the SEC\xe2\x80\x99s Enterprise networks       (PIV) cards for system authentication and require\nand were still accessible.                                use of the PIV cards as a second authentication fac-\n                                                          tor, but it still has not implemented a technical solu-\nCompliance with the Federal Information Secu-             tion to link the multi-factor authentication solutions\nrity Management Act (FISMA) continues to be a             to SEC\xe2\x80\x99s PIV card. Thus, the SEC is not in compli-\n\n\n\n\n10   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cance with the requirements established in Homeland      CONTINUITY OF OPERATIONS PROGRAM\nSecurity Presidential Directive 12, which opens the     Federal agencies are required to have a viable\nagency up to a higher risk for fraud, tampering,        Continuity of Operations Program (COOP) in place\ncounterfeiting, etc.                                    to ensure the agency can continue to perform its\n                                                        critical mission functions during an emergency. An\nFinally, the SEC\xe2\x80\x99s tailored set of baseline security    agency\xe2\x80\x99s COOP plan focuses on restoring the orga-\ncontrols are not explicitly defined in the System       nization\xe2\x80\x99s mission essential functions at an alternate\nSecurity Plan or other security documents for each      site and performing these functions for up to 30\nsystem. Though OIT identifies a generic set of          days before returning to normal operations.\nbaseline security controls, the selection process is\nbased on the security categorization of the system      The OIG has identified SEC\xe2\x80\x99s COOP as a manage-\nand is not in accordance with NIST SP 800-37,           ment challenge. In the Review of the SEC\xe2\x80\x99s Continu-\nRev 1. Additionally, OIT has not developed formal       ity of Operations Program, Report No. 502, issued\nprocedures that provide instructions for tailoring      on April 23, 2012, we identified areas needing\nbaseline security controls in compliance with NIST      improvement to ensure a comprehensive, cohesive,\nSP 800-53, Rev 3, Recommended Security Controls         and up-to-date COOP that complies with federal\nfor Federal Information Systems and Organiza-           guidance. Many of the report\xe2\x80\x99s recommendations\ntions, August 2009. As a result of not implementing     involve OIT\xe2\x80\x99s interaction with program offices and\nformal tailored control sets, a generic control set     divisions agency-wide, to include the SEC\xe2\x80\x99s regional\nbased only on security categorization could result      offices. These improvements were broadly separated\nin understating or overstating the security require-    into two groups:\nments for each system and critical controls may not\nbe identified for systems if the tailoring process is   (1)\t procedural problems, and\nnot followed.                                           (2)\t IT equipment-related problems.\n\nThe areas discussed above remain challenges that        With regard to procedural improvements, the report\nwere identified in the past and have not yet been       found that supplemental plans for divisions, offices,\ncompletely mitigated. The OIG will continue its         and regional offices are not being updated or prop-\noversight of IT management and monitor progress         erly maintained. In addition, many of the plans that\nin these areas.                                         are in place contain unrealistic estimates of required\n                                                        recovery time. Further, the report found that several\nGAO reported in its fiscal year 2011 audit of the       regional offices\xe2\x80\x99 Disaster Recovery Plans (DRP) had\nSEC\xe2\x80\x99s financial statements that the SEC made prog-      not been tested annually, and two regional offices\nress in strengthening its internal controls over its    did not include recovery phase testing in their most\nfinancial information systems. However, despite this    recent disaster recovery test plans. Finally, we found\nprogress, they identified new weaknesses in infor-      that while some OIT personnel regularly participate\nmation security controls regarding                      in DRP exercises, many essential personnel do not\n                                                        participate in these exercises and have not received\n\xe2\x80\xa2\t   incomplete implementation of SEC\xe2\x80\x99s informa-        appropriate role-based training for their part in the\n     tion security program, and                         DRP and COOP activities.\n\xe2\x80\xa2\t   inadequate review of service auditors\xe2\x80\x99 reports\n     that jeopardized the confidentiality and integ-    Regarding IT equipment issues, our review identi-\n     rity of SEC\xe2\x80\x99s financial information.               fied instances where information feeds and power\n\n\n\n\n                                                        APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                 |   11\n\x0cdistribution throughout the SEC\xe2\x80\x99s network could                   cant deficiencies GAO identified in SEC\xe2\x80\x99s internal\nfail if a disruption were to occur. In addition, equip-           controls and the inherent risks that are associated\nment at the SEC\xe2\x80\x99s devolution sites is out-of-date and             with transitioning the SEC\xe2\x80\x99s core financial system\ncannot be used with SEC\xe2\x80\x99s network, due to unre-                   to a FSSP, financial management remains a manage-\nsolved security issues. We also found that remote                 ment challenge.\naccess capabilities would be enhanced if remote\naccess to desktop applications could function when                GAO found that the SEC continued to carry out\nthe user\xe2\x80\x99s desktop computer is turned off or does                 its financial reporting during fiscal year 2011\nnot have power.                                                   using spreadsheets, databases, and data processing\n                                                                  practices that relied on significant manual analysis,\nAmong the report\xe2\x80\x99s 38 recommendations were that                   reconciliation, and work-arounds that were used to\nDRPs are tested thoroughly each year, and the SEC                 assist in calculating amounts in the general ledger\nshould revise its system recovery time objectives to              transaction postings. Such manual processes are\ninclude specific and realistic timeframes. Further,               resource intensive and prone to error and, coupled\nthe report recommended that the SEC should take                   with the significant amount of data involved, there\nprocedural steps such as categorizing essential                   is an increased risk of materially misstated account\npersonnel and ensure alternate worksites are readily              balances in the general ledger.\naccessible.\n                                                                  GAO reported that consistent with prior audits they\n                                                                  continued to find deficiencies in SEC\xe2\x80\x99s recording\nFINANCIAL MANAGEMENT                                              of new obligations and monitoring of open obliga-\nThe GAO\xe2\x80\x99s fiscal year 2011 audit of the SEC\xe2\x80\x99s                     tions. These deficiencies resulted in misstatements\nfinancial statements2 found that they were fairly                 in SEC\xe2\x80\x99s accounting records which could affect the\npresented in all material respects, in conformity                 reliability of information that is reported in its State-\nwith U.S. generally accepted accounting principles;               ment of Budgetary Resources.\nand though internal controls could be improved,\nthe SEC maintained in all material respects, effective            GAO also noted that the SEC made improvements\ninternal controls over financial reporting. Though                in verifying current filing fee transactions more\nGAO found no reportable noncompliance with the                    timely. However, they found continuing deficiencies\nlaws and regulations they tested, they identified four            in the SEC\xe2\x80\x99s controls over registrant deposits and\nsignificant deficiencies in SEC\xe2\x80\x99s internal controls.              filing fees that collectively represented a significant\nThe significant deficiencies identified during fiscal             deficiency for fiscal year 2011. Specifically, the SEC\nyear 2011 included deficiencies in controls over                  has not effectively addressed previously reported\n                                                                  deficiencies in its process to enable timely recogni-\n\xe2\x80\xa2\t     information systems,                                       tion of filing fee revenue. Because of this continuing\n\xe2\x80\xa2\t     financial reporting and accounting processes,              control deficiency, the SEC is not always recognizing\n\xe2\x80\xa2\t     budgetary resources, and                                   filing fee revenue in the correct accounting period\n\xe2\x80\xa2\t     registrant deposits and filing fees.                       and, therefore, its registrant deposit liability could\n                                                                  be misstated and not be corrected in a timely man-\nDuring the current fiscal year the SEC transitioned               ner. Contributing to the SEC\xe2\x80\x99s deficiencies in this\nits core financial system to the Department of Trans-             area is that it has yet to finalize and implement a\nportation\xe2\x80\x99s Enterprise Service Center, Federal Shared             formal process for ongoing monitoring of filing fee\nService Provider (FSSP). Based on the four signifi-               transactions.\n\n2   Includes SEC\xe2\x80\x99s general purpose and Investor Protection Fund (IPF) financial statements.\n\n\n\n12     |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cAdvice and Assistance Provided to the Agency\n\n\nD\n         uring this semiannual reporting period, the   tain initiatives to decrease the number of hard copy\n         OIG provided advice and assistance to SEC     CCH purchases, additional steps could be taken to\n         management on issues that were brought        reduce the costs associated with hard copy CCHs.\nto the OIG\xe2\x80\x99s attention through various means.          The OIG forwarded the suggestion to the Branch of\nThis advice and assistance was conveyed through        Library Services and suggested that it consider pro-\nwritten communications, as well as in meetings         viding additional information to SEC staff regarding\nand conversations with agency officials. The advice    the availability of this resource online. The OIG\nand assistance provided included suggestions for       further suggested that the Branch of Library Services\nimprovement in agency programs and operations          provide information regarding the price discrepancy\nthat were received through the OIG SEC Employee        between the hard copy and online CCH versions\nSuggestion Program, which was established pursu-       and offer training on the online resource to encour-\nant to Section 966 of the Dodd-Frank Wall Street       age more employees to utilize CCH IntelliConnect.\nReform and Consumer Protection Act.                    It is expected that these measures will result in a\n                                                       reduction in the number of hard copy CCHs utilized\nSpecifically, the OIG received a suggestion through    and, therefore, cost savings for the SEC.\nthe OIG SEC Employee Suggestion Program regard-\ning subscription costs associated with hard copy       Another suggestion received through the OIG SEC\nsets of Commerce Clearing House (CCH) securities       Employee Suggestion Program related to employ-\nlaw books and corresponding regular hard copy          ees\xe2\x80\x99 ability to book conference rooms online. The\nupdates. Staff from the SEC\xe2\x80\x99s Branch of Library        OIG was informed that in certain regional offices,\nServices informed the OIG that CCH is available        conference rooms are booked manually and require\nonline through CCH IntelliConnect at no additional     assistance from support staff. The OIG spoke with\ncost to the agency, but that many employees still      staff from the SEC\xe2\x80\x99s OIT and learned that, while all\nreceive hard copy sets and the corresponding paper     SEC offices currently have the capability to book\nupdates. According to the Branch of Library Servic-    conference rooms electronically, online scheduling\nes, the Commission currently spends over $300,000      of conference rooms is only available upon specific\nper year for hard copy subscriptions. After review-    request from the OIT service desk or local office\ning and analyzing the suggestion received, the OIG     information technology staff. At the time the OIG\nlearned that, while the Commission has taken cer-      received the suggestion, the Philadelphia, New\n\n\n\n\n                                                       APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012               |   13\n\x0cYork, Salt Lake, Chicago, and Denver Regional            Finally, the Counsel to the Inspector General\nOffices did not appear to use online conference          worked closely with the SEC\xe2\x80\x99s Office of Equal\nroom scheduling. After reviewing and analyz-             Employment Opportunity (EEO) to develop and\ning the suggestion received, the OIG forwarded           offer training to all SEC staff pursuant to the\nit to OIT for consideration. The OIG suggested           Notification and Federal Employee Antidiscrima-\nthat OIT provide additional information regard-          tion and Retaliation Act of 2002 (No FEAR Act).\ning the online scheduling feature throughout the         This Act mandates that federal agencies provide\nagency and also consider reminding employees of          training to its employees at least every two years\nthe benefits of online scheduling. Subsequently, the     regarding their rights, remedies, and responsibili-\nNew York Regional Office began implementing the          ties under antidiscrimination EEO laws and the\nonline scheduling function. It is expected that the      whistleblower protection laws. The Counsel to the\nremaining regional offices will also begin to use this   Inspector General provided assistance to the EEO\nfeature, which will result in a more streamlined,        Office in developing the portion of online No FEAR\nefficient approach to scheduling conference rooms,       Act training related to the Whistleblower Protection\nthereby improving employee efficiency.                   Act, and this online training was made available to\n                                                         SEC employees beginning in July 2012. In addi-\nAlso during the reporting period, the Office of          tion, the Counsel to the Inspector General provided\nAudits provided the agency with written com-             instruction concerning the antiretaliation provisions\nments it should consider before finalizing draft         of the Whistleblower Protection Act and the Inspec-\nSEC Operating Procedure 10-24, Management and            tor General Act during two live training sessions\nAdministration of Service Contracts. In addition,        offered to SEC employees in September 2012.\nthe Office of Audits provided the agency with minor\ncomments and edits it should consider before final-\nizing revised SEC Regulation 30-2, Audit Follow-up\nand Resolution.\n\n\n\n\n14   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cCoordination with Other Offices of\nInspector General\n\n\nD\n         uring this semiannual reporting period, the    chaired by the Inspector General of the Department\n         SEC OIG coordinated its activities with        of Treasury and is also comprised of the Inspectors\n         those of other OIGs, as required by Sec-       General of the Board of Governors of the Federal\ntion 4(a)(4) of the Inspector General Act of 1978,      Reserve System, the Commodity Futures Trading\nas amended. Specifically, the SEC Interim Inspec-       Commission, the Department of Housing and Urban\ntor General attended meetings of the Council of         Development, the Federal Deposit Insurance Cor-\nthe Inspectors General on Integrity and Efficiency      poration, the Federal Housing Finance Agency, the\n(CIGIE) and serves as the Chairman of the CIGIE         National Credit Union Administration, and the SEC\nAudit Committee. The Counsel to the Inspector           and the Special Inspector General for the Troubled\nGeneral participated in the activities of the Council   Asset Relief Program. Under the Dodd-Frank Act,\nof Counsels to the Inspectors General, an informal      the CIGFO is required to meet at least quarterly to\norganization of OIG attorneys throughout the            facilitate the sharing of information with a focus on\nfederal government who meet monthly and coor-           the concerns that may apply to the broader finan-\ndinate and share information. The SEC OIG also          cial sector and ways to improve financial oversight.\nresponded to requests for information from CIGIE        The CIGFO is also required to submit an annual\nduring the reporting period that related to cyber       report to the Financial Stability Oversight Council\nand information technology security related reviews     and the Congress, which must include a section\nand subpoena disclosures. Further, the SEC OIG          that highlights the concerns and recommendations\nforwarded matters discovered during two separate        of each CIGFO inspector general and a summary\nOffice investigations to other OIGs for potential       of the general CIGFO observations. The CIGFO\xe2\x80\x99s\ninvestigation.                                          2012 Annual Report was issued in July 2012 and\n                                                        included a section discussing the SEC OIG\xe2\x80\x99s mission,\nIn addition, the SEC Acting and Interim Inspectors      recent oversight work, and other planned oversight\nGeneral participated in the meetings and activities     work. The CIGFO 2012 Annual Report is available\nof the Council of Inspectors General on Financial       at http://www.treasury.gov/about/organizational-\nOversight (CIGFO), which was created by Sec-            structure/ig/Documents/CIGFO%20Document/508_\ntion 989E of the Dodd-Frank Act. The CIGFO is           CIGFO%20Annual%20Report.pdf.\n\n\n\n\n                                                        APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012               |   15\n\x0cIn addition to working on the CIGFO Annual              nal controls over sensitive and proprietary (nonpub-\nReport, the SEC OIG participated in a CIGFO             lic) information that was collected and exchanged\nworking group that was established in December          with FSOC. The findings from each respective OIG\n2011. The working group included staff from seven       were consolidated into the joint report entitled,\nCIGFO members\xe2\x80\x99 offices. The working group con-          Audit of the Financial Stability Oversight Council\xe2\x80\x99s\nducted a joint audit of the Financial Stability Over-   Controls over Non-public Information, which was\nsight Council\xe2\x80\x99s (FSOC) controls and protocols to        issued on June 22, 2012 to the FSOC Chairman.\ndetermine whether nonpublic information, delibera-      The report is available at http://www.treasury.\ntions, and decisions are properly safeguarded from      gov/about/organizational-structure/ig/Documents/\nunauthorized disclosure. FSOC, which was created        CIGFO%20Document/Audit%20of%20the%20\nby Section 111 of the Dodd-Frank Act, is charged        Financial%20Stability%20Oversight%20Coun-\nwith identifying threats to the financial stability     cil\xe2\x80\x99s%20Controls%20over%20Non-public%20\nof the United States, promoting market discipline,      Information.pdf.\nand responding to emerging risks that could impact\nthe stability of the nation\xe2\x80\x99s financial system. FSOC    While the report did not make any recommenda-\nconsists of 10 voting members and 5 nonvoting           tions, it identified differences in how FSOC and its\nmembers and brings together the expertise of federal    member agencies mark nonpublic information. In\nfinancial regulators, state regulators, and an insur-   addition, the report identified control differences in\nance expert appointed by the President with Senate      how the various agencies handle nonpublic informa-\nconfirmation. The Chairman of the SEC is among          tion with respect to oral communication, supple-\nthe voting FSOC members.                                mental prohibition on financial interest, contractor\n                                                        confidentiality and nondisclosure, encryption, and\nAs part of the working group, the SEC OIG con-          protocol for tracking information exchange.\nducted an audit of the SEC\xe2\x80\x99s management and inter-\n\n\n\n\n16   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cAudits and Evaluations\nOVERVIEW                                                 Audits\n\n\n\nT\n         he OIG is required by the Inspector General     Audits examine operations and financial trans-\n         Act of 1978, as amended, to conduct audits      actions to ensure proper management practices\n         and evaluations of agency programs, opera-      are being followed and resources are adequately\ntions, and activities. The Office of Audits focuses      protected in accordance with governing laws and\nits efforts on conducting independent audits and         regulations. Audits are systematic, independent, and\nevaluations of the SEC\xe2\x80\x99s programs, operations and        documented processes for obtaining evidence. In\nfunctions. The Office of Audits also hires indepen-      general, audits are conducted when firm criteria or\ndent contractors and subject matter experts to con-      data exist, sample data is measurable, and testing\nduct work on its behalf. Specifically, the Office of     internal controls is a major objective. Auditors col-\nAudits conducts audits and evaluations to determine      lect, analyze, and verify data by gathering documen-\nwhether                                                  tation, conducting interviews, and through physical\n                                                         inspections. The Office of Audits conducts audits in\n\xe2\x80\xa2\t   there is compliance with governing laws,            accordance with the generally accepted government\n     regulations, and policies;                          auditing standards, as set forth in the Government\n\xe2\x80\xa2\t   resources are safeguarded and appropriately         Auditing Standards, issued by the Comptroller Gen-\n     managed;                                            eral of the United States, OIG policy, and guidance\n\xe2\x80\xa2\t   funds are expended properly;                        issued by the CIGIE.\n\xe2\x80\xa2\t   desired program results are achieved; and\n\xe2\x80\xa2\t   information provided by the agency to the           Evaluations\n     public and others is reliable.                      The Office of Audits conducts evaluations of SEC\n                                                         programs and activities. Evaluations consist of proj-\nEach year, the Office of Audits prepares an annual       ects that often cover broad areas and are typically\naudit plan. The plan includes work that is selected      designed to produce timely and useful information\nfor audit or evaluation based on risk and materiality,   associated with current or anticipated problems.\nknown or perceived vulnerabilities and inefficien-\ncies, resource availability, and complaints received     Evaluations are generally conducted when a\nfrom Congress, internal SEC staff, the GAO, and the      project\xe2\x80\x99s objectives are based on specialty or highly\npublic.                                                  technical areas, criteria or data is not firm, or the\n\n\n\n\n                                                         APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                 |   17\n\x0cinformation must be reported in a short period of         ery events resulting from human/natural disasters,\ntime. Evaluations are conducted in accordance with        national emergencies, or technological events which\nOIG policy and governing CIGIE guidance.                  could impact the Commission\xe2\x80\x99s ability to continue\n                                                          mission-critical and essential functions. The sub-\nAudit Follow-Up and Resolution                            objectives for the review were to:\nDuring this semiannual reporting period, SEC\ndivisions and offices provided the OIG with               \xe2\x80\xa2\t   evaluate the SEC\xe2\x80\x99s pandemic plan to ensure it\ndocumentation to support their implementation of               was formal, documented, well-communicated,\nrecommendations that were identified in reports we             had been tested at regular intervals, and met the\nissued to management. Specifically, the OIG closed             objectives of the National Strategy for Pandem-\n68 recommendations related to 14 Office of Audits              ic Influenza: Implementation;\nreports during this semiannual reporting period.          \xe2\x80\xa2\t   assess the Commission\xe2\x80\x99s implementation and\n                                                               testing of its pandemic plan;\n                                                          \xe2\x80\xa2\t   determine the Commission\xe2\x80\x99s plans for protect-\nAUDITS AND EVALUATIONS CONDUCTED                               ing its employees and contractors during a\n                                                               pandemic occurrence; and\nReview of the SEC\xe2\x80\x99s Continuity of Operations              \xe2\x80\xa2\t   evaluate the Commission\xe2\x80\x99s plans for sustaining\nProgram (Report No. 502)                                       essential functions during high rates of\n                                                               employee absenteeism.\n                B ackground\nA continuity of operations program (COOP), includ-                            R esults\ning a business continuity plan (BCP) and disaster         As detailed in the report, TWM found that while the\nrecovery plan (DRP), is essential to an organization      SEC did have a COOP function and plan (including\nmaintaining its critical operations when unforeseen       relocation sites and testing) in place, the program\ndisruptions or interruptions occur that may affect        needed to be improved. In particular, the SEC\xe2\x80\x99s\nthe organization\xe2\x80\x99s normal operations. All federal         COOP policies, procedures, and documents were:\nagencies are required to have viable programs and         (1) outdated or incomplete, (2) not comprehensive,\nplans in place to ensure they are able to continue to     and (3) not being followed in some respects.\nperform critical functions during an emergency. An\nagency\xe2\x80\x99s COOP plan focuses on restoring the orga-         TWM also found SEC recovery time objectives were\nnization\xe2\x80\x99s mission-essential functions at an alternate    inconsistent with the Federal Information Security\nsite and performing those functions for up to 30          Management Act\xe2\x80\x99s (FISMA) system categoriza-\ndays before returning to normal operations.               tion for availability and system functionality. The\n                                                          review also identified deficiencies with the DRPs for\nIn November 2011, the SEC OIG contracted the              individual systems, and found that the SEC did not\nprofessional services of TWM Associates, Inc.             prepare BCPs or Information System Contingency\n(TWM) to conduct a review of the SEC\xe2\x80\x99s COOP.              Plans for its information systems. Additionally,\nTWM\xe2\x80\x99s primary objectives were to determine if the         the review identified instances in which informa-\nSEC (1) had a viable COOP, BCP, and DRP that suf-         tion feeds and power distribution could fail if a\nficiently supported its operations at its headquarters,   disruption were to occur. Further, TWM found that\noperations center, and 11 regional offices; and (2)       current data restoration processes were insufficient\nwas adequately prepared to perform essential func-        and improvements were needed in the processes for\ntions during business continuity or disaster recov-       recovering data.\n\n\n\n\n18   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cTWM also found that remote access capabilities          In addition, the OIG recommended OIT determine\nneeded to be enhanced to allow remote access            which aspects of DRP and BCP testing should be\nto desktop applications. The review found that          conducted annually and ensure this testing includes\nseveral DRPs had not been tested annually, regional     the recovery phase and reconstitution phase. The\noffices have not tested their alternate site restora-   OIG also recommended OFRMS revise the SEC\xe2\x80\x99s\ntion capability, and the pandemic plan has not been     system recovery time objectives to specify more real-\ntested since 2007. In addition, the review found that   istic timeframes. Further, the OIG recommended the\nalternate work locations for eight regional offices     SEC take appropriate procedural steps to categorize\nhave not been specified in COOP supplements or          essential personnel according to necessary functions\nDRPs and the alternate work locations may not be        and ensure alternate worksites are readily accessible.\navailable during an event.\n                                                        OFRMS and OIT concurred with all recommen-\nTWM further found the SEC\xe2\x80\x99s plans of action and         dations in the report that were addressed to their\nmilestones did not include certain issues found or      respective offices. The offices provided OIG with\nrecommendations for improvement made dur-               corrective action plans that were fully responsive\ning COOP or DRP testing. The review also found          to each recommendation. However, recommenda-\nthat while the SEC conducts COOP and disaster           tions remain open until documentation is provided\nrecovery exercises, the testing included a high con-    that demonstrates the recommendations were\ncentration of personnel at headquarters and many        implemented. The report is available on the OIG\xe2\x80\x99s\nessential personnel were not included. Lastly, the      website at http://www.sec-oig.gov/Reports/AuditsIn-\nreview identified that the SEC did not have current     spections/2012/502.pdf.\nmemoranda of agreement, memoranda of under-\nstanding, or service level agreements for alternate\nworksites. TWM found these documents were               SEC\xe2\x80\x99s Records Management Practices\neither outdated or not included in the Commis-          (Report No. 505)\nsion\xe2\x80\x99s COOP or DRP.\n                                                                       B ackground\n          R ecommendations                              The Office of Records Management Services\nThe OIG issued its report on April 23, 2012, and        (ORMS) is responsible for coordinating, oversee-\nmade 38 recommendations that were designed to           ing, and implementing the SEC\xe2\x80\x99s records manage-\nstrengthen the SEC\xe2\x80\x99s COOP.                              ment program at its headquarters, operations\n                                                        center, and 11 regional office locations. ORMS\nThe OIG recommended, among other things, the            and the Office of Security Services (OSS) are direct\nOffice of Freedom of Information Act, Records           reporting units to the Office of Support Operations\nManagement, and Security (OFRMS) and OIT, in            (OSO). OSS has oversight of SEC\xe2\x80\x99s vital records\nconjunction with SEC divisions and offices, update,     program, while ORMS oversees the SEC\xe2\x80\x99s overall\nrevise, and finalize all COOP documents, includ-        records management program through points-of-\ning COOP plans and supplements, DRPs, BCPs,             contact (POC) in most divisions and offices. The\nbusiness impact analyses, and pandemic plans            POCs provide oversight of their individual records\nand supplements. The OIG further recommended            management program and practices. ORMS\xe2\x80\x99\nOFRMS and OIT ensure these documents are                responsibilities include providing reference services\ncomplete, include necessary elements, and properly      for Commission staff, other federal, state, and local\ndefine the SEC\xe2\x80\x99s essential functions.                   entities and members of the public that are essential\n\n\n\n\n                                                        APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                |   19\n\x0cfor the SEC to achieve its mission. Additionally,        Our review of a sample number of records requests\nORMS coordinates with the SEC\xe2\x80\x99s Office of Inves-         found that some ORMS staff did not follow the\ntor Education and Advocacy and Public Reference          office\xe2\x80\x99s standard operating policy in processing\nRoom concerning records reference requests from          requests and several requests were not completed\nthe public. Further, ORMS assists the Office of          within ORMS\xe2\x80\x99 seven business days goal for non-\nFreedom of Information Act (FOIA) Services, in           urgent records requests.\nresponding to requests for nonpublic records under\nFOIA.                                                    The audit also identified offices that did not have\n                                                         records retention schedules and other offices whose\nThe objectives of our audit were to examine              records retention schedules were outdated. Addi-\nwhether ORMS:                                            tionally, we found ORMS had not met with all SEC\n                                                         offices to determine if they had records.\n\xe2\x80\xa2\t   established a viable records management\n     program that ensures permanent SEC records          The OIG determined that many divisions and\n     are appropriately maintained and preserved in       offices did not have proper records management\n     accordance with applicable federal statutes and     procedures to ensure that active records are prop-\n     regulations; and                                    erly and economically maintained and used on a\n\xe2\x80\xa2\t   adhered to applicable federal statutes and          regular basis. Further, the audit found that inactive\n     regulations regarding the retention, disposal,      records were not regularly disposed.\n     transfer, and recovery of SEC records.\n                                                         Several POCs informed the OIG they did not know\n                    R esults                             when their records should be disposed of and did\nThe audit found that the SEC did not have an             not do so annually. Additionally, the OIG found\nactive staff assistance program and ORMS or its          ORMS had not reviewed the contents of 256 boxes\npredecessors did not conduct periodic agency-wide        that its contractor identified in a November 2010\nstaff assistance visits. Although ORMS provided          report that was issued to ORMS. These boxes con-\nassistance to offices and divisions to identify their    tained records that must be reviewed and scheduled\nrecords and had scheduled records for disposition,       for disposition. ORMS informed the OIG that, as\nit had not conducted staff assistance visits of all      of September 2012, it had reviewed 98 of the 256\n36 SEC divisions and offices. Therefore, confusion       boxes and coordinated with the Federal Records\nexisted among POCs regarding their records man-          Center (FRC) to review the remaining boxes.\nagement responsibilities.\n                                                         The audit also found that ORMS had not per-\nIn addition, the audit revealed that although ORMS       formed a timely review of SEC records that were\nreadily answered agency staff questions about            eligible for destruction. As a result, there was an\nrecords matters, provided basic records manage-          approximate 10-year backlog of records that were\nment training during the SEC\xe2\x80\x99s new employee orien-       eligible for destruction but had not been destroyed.\ntation, and provided training to staff in the regional   Although ORMS maintains hard copies of disposal\noffices, ORMS did not provide records management         forms the FRC provided for records review, approv-\ntraining to staff agency-wide. The OIG determined        al, and destruction, the office did not maintain a\nthat this has caused confusion among employees.          list of Commission records the FRC identified as\n                                                         eligible for destruction.\n\n\n\n\n20   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cFurther, we determined that some offices and divi-      the SEC\xe2\x80\x99s records management programs in accor-\nsions did not have records management POCs. We          dance with SECR 7-1, Securities and Exchange\nalso found that SEC\xe2\x80\x99s records management direc-         Commission\xe2\x80\x99s Records Management Program. In\ntives did not require offices or divisions to have      addition, OIG recommended ORMS develop a\nrecords management POCs. As a result, some SEC          records management training program and offer\nemployees did not understand their records manage-      training sessions on records management to all SEC\nment responsibilities. Also, the federal regulations    employees. We also recommended ORMS develop\nand SEC policies covering records management            robust internal controls that provide oversight of\nwere not being followed properly.                       its records requests processes. Further, we recom-\n                                                        mended that ORMS work with offices and divisions\nAt the time of our audit, OSS had oversight of          agency-wide to ensure they have current manage-\nSEC\xe2\x80\x99s vital records program and was working             ment procedures that enable them to properly\nwith ORMS to evaluate the program, but had not          manage their records in accordance with applicable\ndefined the SEC\xe2\x80\x99s vital records and did not review or   federal regulations and the SEC\xe2\x80\x99s administrative\nupdate the Commission\xe2\x80\x99s vital records at least annu-    regulations.\nally. As a result, the SEC\xe2\x80\x99s listing of vital records\nwas incomplete and outdated. Further, the SEC had       Additionally, the OIG recommended ORMS\nnot definitively established how it will protect and    develop a definitive action and milestones plan to\nretrieve vital records in an emergency. Due to chang-   review the records backlog maintained at the FRC\nes in responsibilities for vital records management,    and determine how the records will be treated. We\nconfusion existed regarding the SEC\xe2\x80\x99s compliance        also recommended ORMS develop an action plan\nwith the National Archives and Records Adminis-         to address the 10-year backlog of records the FRC\ntration\xe2\x80\x99s (NARA) guidance on vital records. Thus,       has identified as being eligible for destruction.\nthe SEC did not comply with certain vital records\nmanagement regulations.                                 Further, the OIG recommended ORMS require\n                                                        all divisions and offices to designate a POC for\nLastly, our audit found the SEC\xe2\x80\x99s records manage-       records management matters, and periodically\nment administrative regulations and vital records       verify the POC listing. We also recommended OSS,\nhandbook were outdated. The administrative regu-        in coordination with ORMS, develop a vital records\nlations contained terminology, processes, and forms     program that includes processes and procedures,\nthat were no longer current, and the vital records      and establish and maintain the SEC\xe2\x80\x99s vital records in\nhandbook included a form the SEC never used.            accordance with applicable federal regulations and\n                                                        NARA\xe2\x80\x99s guidance on vital records management.\n          R ecommendations\nOn September 30, 2012, the OIG issued a final           We also recommended ORMS update its adminis-\nreport containing 12 recommendations that were          trative regulations covering records management\ndesigned to ensure the SEC\xe2\x80\x99s records are properly       and train SEC employees on the new regulations.\nmanaged and to strengthen the SEC\xe2\x80\x99s records man-        Lastly, we recommended OSS and ORMS coordi-\nagement program.                                        nate review of the SEC\xe2\x80\x99s Vital Records Handbook\n                                                        and determine if it will be revised or rescinded.\nSpecifically, the OIG recommended ORMS periodi-\ncally conduct agency-wide staff assistance visits of\n\n\n\n\n                                                        APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012               |   21\n\x0cManagement concurred with all of the report\xe2\x80\x99s             abuse. The specific audit objectives were to assess\nrecommendations. Each recommendation will                 whether OIA:\nremain open until documentation is provided to\nOIG that demonstrates the recommendations                 \xe2\x80\xa2\t   had viable policies, procedures, and controls for\nwere implemented. This report is available on                  its program activities;\nOIG\xe2\x80\x99s website at: http://www.sec-oig.gov/Reports/         \xe2\x80\xa2\t   effectively tracked and processed requests for\nAuditsInspections/2012/505a.pdf.                               technical assistance and enforcement assistance\n                                                               in a timely manner;\n                                                          \xe2\x80\xa2\t   had developed a program that ensures SEC\nThe Office of International Affairs Internal                   employees\xe2\x80\x99 international travel is appropriately\nOperations and Travel Oversight                                processed through OIA;\n(Report No. 508)                                          \xe2\x80\xa2\t   adequately communicated the SEC\xe2\x80\x99s interna-\n                                                               tional travel process and related procedures to\n               B ackground                                     employees; and\nThe mission of the Office of International Affairs        \xe2\x80\xa2\t   appropriately conducted and reported its staff\xe2\x80\x99s\n(OIA) is to promote investor protection and cross-             international travel in accordance with appli-\nborder securities transactions by: (1) advancing               cable federal regulations and internal policies\ninternational regulatory and enforcement coopera-              and procedures.\ntion, (2) promoting the adoption of high regulatory\nstandards worldwide, and (3) formulating technical                             R esults\nassistance programs to strengthen the regulatory          The OIG found OIA\xe2\x80\x99s operating units had viable\ninfrastructure in global securities markets.              policies, procedures, and controls, and OIA effec-\n                                                          tively tracked and processed technical and enforce-\nOIA also serves as the focal point for the SEC staff\xe2\x80\x99s    ment assistance requests. However, OIA had not\nofficial international travel. OIA reviews staff\xe2\x80\x99s pro-   documented its international travel coordination\nposed foreign travel, as presented in the SEC\xe2\x80\x99s For-      and review procedures. In addition, our testing of\neign Travel Memorandum (FTM) and supporting               FTMs, the primary review document for interna-\ndocuments, which travelers provide to OIA. OIA            tional travel, found that:\nthen submits these documents to the Office of the\nChief Operating Officer (OCOO) for final review           \xe2\x80\xa2\t   FTMs were not always submitted to OIA two\nand approval. Further, OIA coordinates SEC staff\xe2\x80\x99s             weeks prior to the start of travel, as is required\nneeded country clearances with the U.S. Department             by SEC policy;\nof State and foreign governments, and determines          \xe2\x80\xa2\t   Some FTMs did not have one or more required\nif there are any visa requirements. In addition, OIA           supporting documents; and\nprovides input to the \xe2\x80\x9cInternational Travel\xe2\x80\x9d section      \xe2\x80\xa2\t   Some FTMs were approved by the former\nof the SEC\xe2\x80\x99s intranet, which provides foreign travel           Executive Director on or after the traveler\xe2\x80\x99s\nguidance to SEC staff.                                         departure date, and the former Executive Direc-\n                                                               tor did not approve a few FTMs.\nThe overall objective of the OIG\xe2\x80\x99s audit was to\nassess the effectiveness and efficiency of OIA\xe2\x80\x99s          The audit also found that while OIA obtained\ninternal operations and identify areas for improve-       country clearances for SEC international travelers,\nment to reduce or eliminate fraud, waste, and             it maintained the documents in its file and did not\n                                                          provide them to the travelers.\n\n\n\n\n22   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cFurther, our review of supporting documentation         Additionally, we recommended OIA establish\nfor three separate international trips taken by SEC     procedures and provide training to its staff on the\nin 2009 and 2010, did not sufficiently document         proper application of federal travel regulations and\nthe benefits to be derived from these trips. However,   SEC travel policies related to planning international\nOIA management provided the OIG with additional         trips, preparing expense reports, and computing and\ndocumentation to justify the benefits of these trips.   recording compensatory time for travel. We also\n                                                        recommended OIA ensure its timekeeper records\nOur review of a sample number of international          compensatory time for travel in the pay period the\nexpense reports found compliance with federal           hours are earned.\ntravel regulations and SEC travel policies needed\nimprovement. Specifically, we determined that 61        Finally, we recommended OIA and OCOO review\npercent of expense reports in our sample were not       guidance on the SEC intranet related to interna-\nsubmitted by travelers within five working days         tional travel processes and procedures and regularly\nafter the trips\xe2\x80\x99 completion, as required. The audit     update this information.\nalso found compliance issues related to business\nclass travel, taxis, airport parking, hotel per diem,   OIA and OCOO concurred with the recommen-\nmeals and incidental expenses, and the record-          dations addressed to their respective offices. Each\ning of compensatory time for travel. Finally, we        recommendation will remain open until OIG is pro-\ndetermined the \xe2\x80\x9cInternational Travel\xe2\x80\x9d section on        vided documentation that supports the recommen-\nthe SEC\xe2\x80\x99s intranet had outdated information that        dations were implemented. The report is available\nneeded updating.                                        on the OIG\xe2\x80\x99s website at http://www.sec-oig.gov/\n                                                        Reports/AuditsInspections/2012/508.pdf.\n          R ecommendations\nBased on the results of the audit, the OIG issued\nthe final report on September 30, 2012. The report      PENDING AUDITS AND EVALUATIONS\ncontained 10 recommendations that were developed\nto strengthen OIA\xe2\x80\x99s internal operations and to assist   SEC\xe2\x80\x99s Whistleblower Program\nOIA and the OCOO in effectively executing their         During this reporting period, the OIG began a\ninternational travel-related responsibilities.          statutorily mandated study to evaluate the SEC\xe2\x80\x99s\n                                                        whistleblower program, which was established\nSpecifically, the OIG recommended OIA develop           pursuant to the Dodd-Frank Act. The audit will\nand implement written procedures for its travel         determine (1) if the final rules implementing the\ncoordination and review activities. In addition, we     SEC\xe2\x80\x99s whistleblower program clearly defined\nrecommended OIA strengthen its travel adminis-          the program and make it user friendly; (2) if the\ntrative activities. In this regard, OIA and OCOO        program is promoted on the SEC\xe2\x80\x99s website and has\nshould periodically inform SEC staff of the require-    been widely publicized; (3) whether the Commis-\nment to prepare FTMs at least two weeks before the      sion is prompt in responding to whistleblowers and\ntravel date and to provide supporting documents         other interested parties; (4) whether reward levels\nwith the FTM to OIA. Further, we recommended            are adequate to entice whistleblowers to provide\nthe FTM be revised to include a justification for       information or too high thereby encouraging ille-\napproved travel and copies of approved country          gitimate whistleblower claims; and (5) how current\nclearances be provided to international travelers.      policies, procedures, and provisions of the Dodd-\n\n\n\n\n                                                        APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012               |   23\n\x0cFrank Act impact the effectiveness of the SEC\xe2\x80\x99s         to determine (1) if the SEC\xe2\x80\x99s systems are appropri-\nwhistleblower program.                                  ately certified and accredited in accordance with\n                                                        governing guidelines and industry best practices;\nFieldwork is currently ongoing, and we expect to        (2) if the C&A process for critical applications is\nissue a final report in January 2013.                   effective in identifying and mitigating risks in a\n                                                        timely manner; and (3) the adequacy of OIT\xe2\x80\x99s inter-\n                                                        nal controls and compliance with internal informa-\nSupport, Expert, and Consulting Services                tion security policies and procedures and industry\nContracts at the SEC                                    best practices, standards, and guidelines.\nWe contracted with an independent public accoun-\ntant to conduct an audit of the SEC\xe2\x80\x99s contract for      In addition, the evaluation will determine whether\nsupport, expert, and consulting services. The pri-      OIT\xe2\x80\x99s C&A process is consistent with the National\nmary objective of the audit is to determine whether     Institute of Standards and Technology\xe2\x80\x99s (NIST) six-\nthe Office of Acquisitions (OA) awarded contracts       step risk management framework guidance, Guide\nfor services that were inherently governmental or       for Applying the Risk Management Framework to\nhas contracts that are being administered as per-       Federal Information Systems (NIST 800-37, Rev\nsonal services contracts, in violation of the Federal   1). Where appropriate, the evaluation will identify\nAcquisition Regulation. Further, the audit will         areas that can be strengthened and best practices.\ndetermine if OA has (1) internal controls and policy\nto prevent contractors from performing inherently       The contractor will complete its work and issue a\ngovernmental functions, (2) policy that prohibits       final report during the next semiannual reporting\nservices contracts from being administered as per-      period.\nsonal services contracts; (3) monitoring guidance to\nensure the contract terms are carried out in com-\npliance with governing federal laws, regulations,       Hiring Practices for Senior Level\nand SEC internal policy; and (4) internal controls      Positions at the SEC\nto ensure the SEC is properly charged for services      The OIG has continued to receive complaints and\nrendered under the terms of the contracts. Where        allegations regarding the SEC\xe2\x80\x99s failure to follow\nappropriate, the audit will identify best practices     established policies and procedures in connection\nand possible cost savings.                              with hiring or promoting staff to senior-level posi-\n                                                        tions. As a result, the OIG is conducting an audit of\nThe contractor will complete the audit and issue a      the SEC\xe2\x80\x99s civil service hiring practices. During the\nfinal report during the next semiannual reporting       reporting period, we extended the scope of the audit\nperiod.                                                 and revised the objectives to better assess systemic\n                                                        issues related to the SEC\xe2\x80\x99s hiring and promotion\n                                                        practices for senior level staff positions.\nEvaluation of the SEC\xe2\x80\x99s Systems Certification\nand Accreditation Process                               The objectives of the audit are to examine whether\nThe OIG hired a contractor to perform an indepen-       OHR (1) adheres to applicable federal statutes and\ndent review of the OIT\xe2\x80\x99s certification and accredita-   regulations and has adequate policies and proce-\ntion (C&A) process. The evaluation\xe2\x80\x99s objectives are     dures covering senior level vacancies in the competi-\n\n\n\n\n24   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0ctive service, excepted service, and for senior officers;   The SEC\xe2\x80\x99s Controls Over Sensitive and\n(2) ensures the SEC\xe2\x80\x99s hiring and promotion practices       Proprietary Information Collected and\nare carried out in a fair and consistent manner and        Exchanged With the Financial\nin accordance with applicable federal statutes, regu-      Stability Oversight Council\nlations and OHR policy requirements; (3) commu-            During the reporting period, as part of the CIGFO\nnicates its hiring authority, decisions, and changes       working group, the Office of Audits worked on a\nto the appropriate personnel; (4) ensures hiring and       joint audit with other CIGFO members\xe2\x80\x99 staff to\npromotion decisions are documented in accordance           examine the respective agencies\xe2\x80\x99 management and\nwith applicable federal statutes and regulations;          internal controls over sensitive and proprietary\nand (5) takes action in accordance with applicable         (nonpublic) information that was collected and\nfederal statutes and regulations and OHR policy            exchanged with the FSOC. CIGFO was established\npertaining to improper hirings or promotions.              to (1) facilitate information sharing among inspec-\n                                                           tors general, (2) provide a forum for discussing\nThe audit\xe2\x80\x99s fieldwork is nearing completion and            work as it relates to the broader financial sector, and\nseveral tentative findings have been drafted. We           (3) evaluate the FSOC\xe2\x80\x99s effectiveness and internal\nexpect to issue a final audit report by the end of         operations. A joint report entitled, Audit of the\nnext semiannual reporting period.                          Financial Stability Oversight Council\xe2\x80\x99s Controls\n                                                           over Non-public Information, was issued to the\n                                                           FSOC Chairman on June 22, 2012. The report did\nFiling Fee Refund Requests                                 not make any recommendations.\nThe OIG commenced an audit of the Office of\nFinancial Management\xe2\x80\x99s (OFM) filing fee refund             As a follow-up to the joint audit, OIG conducted\nrequest procedures during this reporting period. We        an audit of the SEC\xe2\x80\x99s controls for handling and\ncontracted an independent public accounting firm           safeguarding nonpublic information from unau-\nto conduct this audit. The objectives of the audit         thorized disclosure. The audit\xe2\x80\x99s objective was to\nare to assess (1) the adequacy of OFM\xe2\x80\x99s written            examine the controls and protocols employed by\npolicies and standard operating procedures covering        the SEC to ensure that the nonpublic information,\nits oversight of the filing fee program; (2) whether       including deliberations, and decisions, of the FSOC,\nprogram staff are adequately trained and have the          the Department of Treasury\xe2\x80\x99s Office of Financial\nrequisite skills needed carry out their duties; (3)        Research, and the FSOC member agencies is prop-\nif the system being used to track filing fee refund        erly safeguarded from unauthorized disclosure.\nrequests is appropriate; and (4) whether backlogs\nand dormant accounts are properly administered             During the semiannual reporting period, fieldwork\nand managed.                                               was completed and a report was drafted. The final\n                                                           audit report will be issued in the next semiannual\nWhere possible, the contractor will also identify          reporting period.\nbest practices and determine whether there are cost\nsaving opportunities. The contractor will complete\nthe audit and issue a final report during the next\nreporting period.\n\n\n\n\n                                                           APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                 |   25\n\x0cFiscal Year 2012 Federal Information Security          Additionally, the contractor will evaluate OIT\xe2\x80\x99s:\nManagement Act (FISMA) Assessment                      data and boundary protections; continuous\nThe OIG hired a contractor with IT expertise to        monitoring asset, configurations, and vulnerability\nperform an independent review of the SEC\xe2\x80\x99s IT          management; enterprise security architecture; inci-\nsecurity programs and practices. The contractor will   dent management; network security protocols; and\ndetermine the extent to which the SEC\xe2\x80\x99s OIT meets      system inventory and quality of the inventory.\nthe Department of Homeland Security (DHS) and\nNIST requirements covering configuration manage-       The contractor will further provide responses to\nment, contingency planning, continuous monitor-        DHS\xe2\x80\x99s fiscal year 2012 questions related to the\ning management, contractor systems, identity and       SEC\xe2\x80\x99s information security program. The contrac-\naccess management, incident response and report-       tor will also issue a final FISMA report prior to\ning, plan of action and milestones, remote access      the completion of the next semiannual reporting\nmanagement, risk management, security capital          period.\nplanning, and security training.\n\n\n\n\n26   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cInvestigations\nOVERVIEW                                                   complaint mechanisms. Complaints may be made\n\n\n\nT\n        he OIG\xe2\x80\x99s Office of Investigations responds         anonymously by calling the Hotline, which is staffed\n        to allegations of violations of statutes, rules,   and answered 24 hours a day, 7 days a week. Com-\n        and regulations and other misconduct by            plaints may also be made to the Hotline through an\nSEC staff and contractors. The misconduct investi-         online complaint form, which is accessible through\ngated ranges from criminal wrongdoing and fraud            the OIG\xe2\x80\x99s website. In addition to being a mecha-\nto violations of SEC rules and policies and the            nism for receiving complaints, the OIG\xe2\x80\x99s website\nStandards of Ethical Conduct for Employees of the          provides the public with an overview of the work of\nExecutive Branch.                                          the Office of Investigations, as well as links to some\n                                                           investigative memoranda and reports issued by\nThe Office of Investigations conducts thorough and         the Office of Investigations. The OIG also receives\nindependent investigations into allegations received       allegations from SEC employees of waste, abuse,\nin accordance with CIGIE Quality Standards for             misconduct, or mismanagement within the Com-\nInvestigations and the OIG Investigations Manual.          mission through the OIG SEC Employee Suggestion\nThe Investigations Manual contains the procedures          Program, which was established pursuant to Section\nby which the OIG conducts its investigations and           966 of the Dodd-Frank Act.\npreliminary inquiries and implements CIGIE Qual-\nity Standards. The Investigations Manual sets forth        The OIG reviews and analyzes all complaints\nspecific guidance on, among other things, OIG              received to determine the appropriate course of\ninvestigative authorities and policies, investigator       action. In instances where it is determined that\nqualifications, independence requirements, proce-          something less than a full investigation is appropri-\ndures for conducting investigations and preliminary        ate, the OIG may conduct a preliminary inquiry\ninquiries, coordination with the U.S. Department of        into the allegation. If the information obtained\nJustice (DOJ), and issuing reports of investigation.       during the inquiry indicates that a full investigation\n                                                           is warranted, the Office of Investigations will com-\nThe OIG receives complaints through the OIG                mence an investigation of the allegation. When an\nComplaint Hotline, an office electronic mailbox,           investigation is opened, the primary OIG investiga-\nmail, facsimile, and telephone. The OIG Complaint          tor assigned to the case prepares a comprehensive\nHotline consists of both telephone and web-based           plan of investigation that describes the focus and\n\n\n\n\n                                                           APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                  |   27\n\x0cscope of the investigation, as well as the specific     closed 18 such investigative recommendations dur-\ninvestigative steps to be performed during the          ing the reporting period.\ninvestigation. The OIG investigator interviews the\ncomplainant whenever feasible, and the OIG inves-\ntigator may give assurances of confidentiality to       INVESTIGATIONS AND INQUIRIES\npotential witnesses who have expressed a reluctance     CONDUCTED\nto come forward.\n                                                        Investigation Into Misuse of\nWhere allegations of criminal conduct are involved,     Resources and Violations of Information\nthe Office of Investigations notifies and works with    Technology Security Policies Within the\nDOJ and the Federal Bureau of Investigation (FBI),      Division of Trading and Markets\nas appropriate. The OIG also obtains necessary          (Report No. OIG-557)\ninvestigative assistance from OIT, including the        During the semiannual reporting period, the OIG\nprompt retrieval of employee e-mails and forensic       completed its investigation of an anonymous\nanalysis of computer hard drives. The OIG investi-      complaint alleging mismanagement of a computer\ngative staff also consults as necessary with the Com-   security lab in the Division of Trading and Mar-\nmission\xe2\x80\x99s Ethics Counsel to coordinate activities.      kets. The anonymous complaint alleged that lab\n                                                        staff inappropriately allocated and spent significant\nUpon completion of an investigation, the OIG            budget dollars to purchase computer equipment for\ninvestigator prepares a comprehensive report of         the lab without justification or planning; used unen-\ninvestigation that sets forth the evidence obtained     crypted laptops during inspections, in violation of\nduring the investigation. Investigative matters are     SEC information technology security policies; and\nreferred to SEC management and DOJ as appropri-         inappropriately used SEC funds for training without\nate. The OIG does not publicly release its reports of   filing appropriate training forms. The anonymous\ninvestigation because they contain nonpublic infor-     complaint alleged unprofessional behavior, inef-\nmation. The Commission decides whether an OIG           fective management, and misuse of unrestricted\ninvestigative report should be publicly released, in    Internet access.\nresponse to a Freedom of Information Act request\nor otherwise.                                           To investigate the allegations in the complaint, the\n                                                        OIG obtained and reviewed the e-mail records\nIn many investigative reports provided to SEC           for eight current and former SEC employees who\nmanagement, the OIG makes specific findings and         worked in the lab. The OIG also reviewed numer-\nrecommendations for consideration of administra-        ous documents pertaining to the lab and took\ntive action by management The OIG requests that         on-the-record testimony of twelve current and\nmanagement report to the OIG what, if any, admin-       former SEC employees with knowledge of the facts\nistrative actions have been taken in response to the    or circumstances surrounding the lab\xe2\x80\x99s operations,\nOIG\xe2\x80\x99s recommendations within 45 days of the issu-       functions, or acquisitions.\nance of the report. The OIG follows up as appro-\npriate with management to determine the status of       The OIG investigation found that since 2006, lab\nadministrative action taken in matters referred by      staff spent over $1 million dollars on computer\nthe OIG. The OIG may also make recommenda-              equipment and software with little oversight or\ntions for improvements in policies, procedures, and     planning and that a significant portion of the\ninternal controls in its investigative reports and      equipment and software purchased was unneeded\n\n\n\n\n28   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cor never used in the program. The OIG found that         virus protection may not have had that protection\nalthough the lab\xe2\x80\x99s budget was vetted by a project        installed until late 2011.\nreview board and the actual equipment and soft-\nware purchases were submitted through OIT, nei-          Although no lab laptop was reported lost or\nther the review board nor OIT knew enough about          stolen, the unprotected laptops could have been\nthe lab, its mission, or the items it was purchasing     compromised. The OIG found evidence that the\nto adequately judge whether the money was being          unprotected laptops were left unattended in hotel\neffectively spent. Further, the OIG found that the lab   rooms and in offices outside the SEC and that the\ncontinued to spend money on technology despite           laptops were connected to public wireless networks\nnot having the staff to implement the technology it      at hotels. The OIG also found that the laptops and\nwas buying. In addition, the OIG discovered that         the data they contained were placed at risk when\nsome equipment was taken home by lab employees           they were connected to an unfiltered, unmonitored\nand used primarily for personal purposes.                Internet connection in the lab, which was used to\n                                                         access Internet sites otherwise prohibited by SEC\nThe OIG also found that some of the lab\xe2\x80\x99s equip-         policy, such as personal e-mail sites. The staff also\nment was purchased based on misrepresentations           used the lab Internet to download freeware onto\nmade by lab staff in contracting documents. During       the unprotected laptops in violation of SEC policy.\ntestimony, two lab staff admitted misrepresenting in     Additionally, lab staff, including a manager, brought\ncontracting documents that the lab needed a certain      in personal computers, which were connected to\nbrand of computer because the entities the staff         the lab network, thereby potentially infecting that\ninspected were commonly using that brand and             network with viruses and malware.\nthat computer tablets were needed for a specific\nmethod of testing. However, the OIG found that           Further, the OIG found that the lab staff\xe2\x80\x99s multiple\nbrand of computers identified in the contracting         violations of SEC information technology security\ndocuments was not commonly used at the entities          policies occurred despite the SEC having spent\nthe staff inspected and that the tablets could not in    hundreds of thousands of dollars training the lab\nfact be used for the purpose stated in the contract-     staff. The lab staff had perhaps the largest per\ning documents.                                           person training budget at the SEC, spending, with\n                                                         little oversight, an average of $20,000 on training\nIn addition, the OIG discovered that lab staff mem-      per person per year. Lab staff could choose from a\nbers were taking unencrypted laptops and laptops         variety of classes offered by prepaid training ven-\nwithout virus protection on inspections. Because         dors and sign up for those classes without filling out\nthe laptops used by the lab staff were not config-       training forms usually required for other SEC staff.\nured by OIT, the lab staff members were respon-          Lab staff members were also not required to sign\nsible for installing and maintaining encryption          continued service agreements in connection with\nand antivirus software on those laptops. However,        their training. Therefore, they were able to leave the\nseveral laptops had no such protection and the           SEC any time after building up their resumes with\nlab had no internal policies regarding installing or     tens of thousands of dollars in training paid for by\nmaintaining encryption and virus protection on the       the SEC.\nlab equipment, despite an SEC-wide requirement\nthat all portable media, including laptops, contain      Overall, the OIG found that lab management did\nencryption. Moreover, the OIG found that even            very little to monitor what was happening in the\nthe few laptops identified as having encryption and      lab. Managers could not physically access the lab\n\n\n\n\n                                                         APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                 |   29\n\x0cwith their badges for several years, did not know        follow-up audits of the lab and, more broadly, of\nwhat equipment the lab purchased or what it was          the purchase of information technology equipment\nused for, and did not track or monitor the training      throughout the SEC to ensure that proper controls\nthat lab staff received. Management also did not put     are in place to prevent waste and potential data\nin place policies and procedures to protect the data     breaches in the future.\nlab staff collected or take any steps to ensure that\nlab staff members abided SEC OIT policies.               Subsequent to the issuance of the OIG\xe2\x80\x99s report, the\n                                                         outside vendor the SEC retained to perform forensic\nBecause of the nature of the issues the OIG discov-      analysis on select lab laptops issued its report, which\nered in its investigation and in an effort to protect    indicated that forensic analysis was performed on\nthe information contained in the lab and on lab          eight laptops and no evidence of a compromise was\nequipment, the OIG informed SEC management               found. The OIG plans to perform further review of\nabout the issues uncovered in the investigation          this matter as necessary.\nbefore the OIG had issued its report of investigation\nin this matter. As a consequence, before the report\nwas issued, SEC management commenced certain             Physical Altercation and Security Violations\nactions to address the problems and deficiencies the     by a Division of Enforcement Contractor\nOIG investigation identified. Among other things,        (Report No. OIG-572)\nthe SEC contracted with an outside forensics team        The OIG opened this investigation immediately\nto conduct testing and related work on selected lap-     after learning from a confidential source that an\ntops that had been used by the lab staff. In addition,   unauthorized entry and a physical altercation\nmanagement implemented several policy changes,           occurred within the SEC headquarters facility.\nincluding requiring that staff use only laptops with     The confidential source informed the OIG that\nmanagement\xe2\x80\x99s pre-approved security configurations.       a male, later identified as a Division of Enforce-\nSEC management also placed two employees on              ment contractor, circumvented security protocol\npaid, non-duty status pending completion of the          by inappropriately granting his girlfriend access to\nOIG investigation. Both employees resigned shortly       SEC space and had a physical altercation with the\nbefore the report was issued.                            woman on SEC premises. The confidential source\n                                                         stated that the SEC Office of Security Services (OSS)\nThe OIG issued its report of investigation to man-       and the SEC\xe2\x80\x99s contract security force were made\nagement on August 30, 2012, for consideration of         aware of the altercation after security officers who\nappropriate administrative action with respect to        are employed by the SEC headquarters building\nthe individuals responsible for the problems and         landlord\xe2\x80\x94not the SEC\xe2\x80\x94witnessed the incident. The\ndeficiencies who remained employed by the SEC.           confidential source also alleged that the incident was\nThe OIG also recommended that (1) OIT exercise           facilitated in part by inadequate security measures.\nauthority over the lab to ensure its equipment was\nproperly secured and protected; (2) the lab\xe2\x80\x99s future     The OIG conducted an investigation of this mat-\nequipment purchases be properly monitored by             ter and substantiated the allegations that both\nanother SEC office; and (3) lab staff be required to     an unauthorized entry and a physical altercation\ncomplete appropriate training forms and the SEC          occurred in the SEC\xe2\x80\x99s headquarters on the night in\nclarify its policy on continued services agreements.     question. During the course of this investigation,\nIn addition, the report was provided to the OIG          the OIG took sworn testimony from and inter-\nOffice of Audits for consideration of conducting         viewed multiple individuals with knowledge of facts\n\n\n\n\n30   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0crelevant to the investigation. The OIG also obtained     SEC may have criminal records. Subsequent to the\nand reviewed SEC video footage of the reported           incident in question, OSS management began a\nunauthorized entry and physical altercation, as well     review of these contractors\xe2\x80\x99 access to SEC facilities\nas relevant documents, including security incident       and systems.\nreports, an SEC personnel security file, criminal his-\ntory reports and other public records. Additionally,     The OIG issued its report of investigation to man-\nthe OIG searched approximately 64,000 e-mails for        agement on August 17, 2012, describing the find-\n9 current and former SEC employees and contrac-          ings of the investigation in detail. As a result of these\ntors relevant to this matter. Further, the OIG visited   findings, the OIG Office of Investigation referred the\nthe SEC\xe2\x80\x99s Security Command Center to review              identified personnel security and physical security\nthe camera monitoring function and notified the          deficiencies to the OIG\xe2\x80\x99s Office of Audits for consid-\nWashington Metropolitan Police Department of the         eration of appropriate audits. The OIG also referred\nincident.                                                the matter to management for purposes of taking\n                                                         appropriate corrective action to remedy the findings\nThe OIG investigation determined that the SEC\xe2\x80\x99s          contained in the report of investigation.\nOSS was notified of the physical altercation and\nunauthorized access through building management\nsecurity, rather than through the SEC\xe2\x80\x99s contract         Fraud, Falsification, and Misuse of Computer\nsecurity force. The OIG investigation also found         Resources by Headquarters Employees\nthat an SEC security camera was trained on the area      (Report No. OIG-563)\nwhere the altercation occurred and there was an          During the semiannual reporting period, the OIG\naudible alarm sounding continuously from an SEC          completed its investigation into fraud, falsification,\nturnstile, which was triggered when the unidentified     and misuse of computer resources involving two\nwoman exited the turnstile without an SEC badge.         headquarters employees. The investigation was con-\nHowever, the SEC\xe2\x80\x99s contract security force officers      ducted jointly with the District of Columbia OIG\ndid not respond to the scene during the incident,        and the U.S. Office of Personnel Management OIG.\nbut did eventually turn off the sounding alarm. The\nOIG\xe2\x80\x99s investigation also revealed that the SEC con-      As noted in our semiannual report for the period\ntractor involved in the altercation and unauthorized     ending March 31, 2012, the first employee had pled\nentry was allowed to leave the facility that evening     guilty in District of Columbia Superior Court to one\nand returned to work the following day, but was          count of first degree felony fraud. In April 2012, the\nthen removed from the facility.                          employee was sentenced to 365 days in jail with all\n                                                         but 20 days suspended and five years of probation,\nThe OIG investigation further found that the SEC         and was ordered to pay restitution in the amount of\ncontractor had numerous prior criminal convic-           approximately $30,000.\ntions, but was nonetheless was granted a waiver for\ninvestigation requirements to enter on duty, issued      The OIG\xe2\x80\x99s investigation of the second employee\xe2\x80\x99s\na contractor badge, and received full access to SEC      conduct uncovered evidence of various acts of\nheadquarters and information technology systems          falsification and misuse of government computer\nfor several years. The contractor was only removed       resources by the employee. Specifically, the investi-\nfrom the SEC contract the day after the physi-           gation uncovered evidence that the employee had\ncal altercation occurred. Further, the OIG learned       submitted false claims for expenses of approxi-\nfrom OSS that other contractors employed at the          mately $14,500 to the federal flexible spending\n\n\n\n\n                                                         APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                   |   31\n\x0caccount program during a five-year period, and had      Unauthorized Disclosure of Nonpublic\nobtained reimbursement for those false claims. As       Information Concerning an Enforcement Matter\na results of this fraudulent conduct, the employee      (Report No. OIG-575)\nreceived a tax benefit to which she was not entitled    During the semiannual reporting period, the OIG\n(of approximately 30 percent of the fraudulent          opened an investigation into a complaint alleging\nclaims) and potentially avoided forfeiture of contri-   that nonpublic SEC information had been disclosed\nbution amounts that she had not spent on qualify-       to a reporter concerning the Commission\xe2\x80\x99s consid-\ning health care or dependent care expenses.             eration of an action recommended by Enforcement\n                                                        against a corporation. A news article had been\nThe investigation also found evidence that the          published electronically shortly before the Com-\nemployee had submitted fictitious college registra-     mission considered this Enforcement recommenda-\ntion statements in order to obtain scholarship funds    tion, which identified the corporation by name and\nfrom a nonprofit charitable organization comprised      described the nature of the charges against the cor-\nof former agency employees. These scholarship           poration that were reportedly to be considered by\nmonies were to be used toward tuition payments          the Commission that day. Commission regulations\nfor an undergraduate degree program; however,           expressly prohibit SEC employees from disclosing\nthe employee admitted that she was not attend-          nonpublic information unless specifically authorized\ning classes at the time and used the money to pay       to do so.\nhousehold expenses. Finally, the investigation found\nevidence that the employee had misused her SEC          The OIG investigated whether a leak in fact\ne-mail account in connection with the falsification     occurred and whether there was evidence that the\nof her personal credit union statements, which she      source of the leak was an SEC employee. During\nused to obtain short-term loans.                        the investigation, the OIG obtained and searched\n                                                        over 135,000 e-mails of 28 current or former SEC\nOn August 31, 2012, the OIG issued a detailed           employees. The OIG also conducted interviews of\nreport of investigation to management, discussing       the complainant and 26 current SEC employees. In\nits findings with respect to the second employee\xe2\x80\x99s      addition, the OIG obtained and reviewed docu-\nmisconduct. The OIG referred the matter for             ments that were related to the Enforcement inves-\nconsideration of appropriate administrative action      tigation and Commission action concerning the\nagainst the employee, and such action was pending       corporation, as well as SEC Blackberry telephone\nas of the end of the reporting period. In addition,     records and news media articles concerning the\nthe OIG referred the second employee to the United      SEC\xe2\x80\x99s action against the corporation.\nStates Attorney\xe2\x80\x99s Office of the District of Columbia,\nwhich declined prosecution in favor of administra-      The OIG investigation confirmed that information\ntive action. The OIG also referred evidence concern-    concerning the SEC\xe2\x80\x99s consideration of proceedings\ning the employee\xe2\x80\x99s student loans to the Department      against the corporation was improperly disclosed\nof Education OIG.                                       outside the Commission. However, based upon the\n                                                        evidence obtained during the investigation, the OIG\n                                                        was unable to conclude which specific individual or\n                                                        individuals improperly disclosed this information,\n                                                        or whether the disclosure was made by someone\n                                                        employed outside the SEC. On September 27, 2012,\n\n\n\n\n32   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cthe OIG issued a report of investigation in this       on the available evidence, the OIG was unable to\nmatter to management for informational purposes.       determine that the contractor was responsible for\nThe OIG\xe2\x80\x99s report described its findings in detail      that sale or conveyance.\nand encouraged management to continue to advise\nemployees, through training, correspondence, and       After learning of the BlackBerry orders in question,\nother means, of the prohibition on disclosing non-     the SEC requested that the contractor be removed\npublic information without authorization.              from the relevant OIT contract and terminated\n                                                       his access to SEC facilities. Shortly thereafter, his\n                                                       employment with the contractor was terminated.\nAllegations of Theft and/or Improper                   Moreover, during our investigation, we learned that\nHandling of SEC Blackberries                           OIT has instituted new procedures for ordering\n(Report No. OIG-566)                                   BlackBerries on behalf of the SEC.\nThe OIG concluded its investigation based upon\na referral from the SEC\xe2\x80\x99s OIT regarding informa-       In light of the fact that the contractor is no longer\ntion that it had received from its wireless services   working at the SEC, and that OIT has developed\nprovider concerning potentially improper orders        new property control procedures, the OIG con-\nof BlackBerries on the SEC\xe2\x80\x99s account. Specifically,    cluded that the likelihood of additional harm to the\nthe wireless services provider notified the SEC that   agency had been greatly reduced. The OIG issued a\ncertain orders of BlackBerry devices placed on the     report of investigation to management on Septem-\nSEC\xe2\x80\x99s account were being shipped to what appeared      ber 18, 2012. The OIG\xe2\x80\x99s report described in detail\nto be a residential address, which, upon review, was   the evidence obtained during the investigation and\ndetermined to belong to an SEC contractor.             recommended that OIT formalize and document\n                                                       its new procedures in writing to avoid recurrence of\nTo investigate the alleged theft or improper han-      this situation.\ndling of these SEC Blackberries, the OIG took the\nsworn testimony of the SEC contractor in ques-\ntion. During his testimony, the contractor admitted    Allegation of Leak of Draft Interagency Rule\nthat he had ordered the BlackBerry devices and         (PI 12-01)\nhad them shipped to his home address, but stated       The OIG completed its inquiry into the public\nthat he had brought all the devices into the office    disclosure of a confidential draft document prepared\nand deployed them to the agency. The OIG also          in connection with the so-called \xe2\x80\x9cVolcker Rule.\xe2\x80\x9d  \nconducted interviews of relevant OIT personnel,        Under the Dodd-Frank Act, the SEC, along with\nwho informed the OIG that these BlackBerries were      four other financial and bank regulatory agencies,\nnot in the SEC\xe2\x80\x99s possession. The OIT personnel         was tasked with coordinating and issuing certain\nalso informed the OIG that the SEC contractor did      rules, including the Volcker Rule, which would\nnot have the authority to order these devices on       implement the Dodd-Frank Act\xe2\x80\x99s prohibition of,\nbehalf of the SEC. In addition, the OIG consulted      among other things,  proprietary trading by banking\nthe wireless services provider, which informed the     entities. The SEC has worked with the four other\nOIG that at least some of these BlackBerry devices     agencies on the rulemaking process. On October 5,\nordered by the contractor and shipped to his home      2011, a banking industry newspaper published on\nare active on a non-SEC account. Accordingly, the      its website an article stating that it had obtained a\nOIG concluded that these BlackBerries were sold        draft document outlining key details of the Volcker\nor otherwise conveyed to non-SEC users, but based      Rule and containing a link to a 205-page PDF file\n\n\n\n\n                                                       APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                |   33\n\x0cpurporting to be that draft document. The OIG            raising efforts and whether the personal solicitations\nopened its inquiry into the public disclosure of that    made on a school\xe2\x80\x99s behalf were permissible.\ndraft document on October 13, 2011, after being\ncontacted by the Senate Banking Committee.               During this inquiry, the OIG reviewed relevant\n                                                         time and attendance and regional office security log\nThe OIG\xe2\x80\x99s inquiry focused on determining whether         records. Additionally, the OIG examined the senior\nthere was any evidence that the draft document was       counsel\xe2\x80\x99s remote computer access to the SEC net-\ndisclosed by anyone within the SEC and, if so, by        work and obtained and searched the senior coun-\nwhom. During its inquiry, the OIG obtained and           sel\xe2\x80\x99s e-mails for pertinent time periods. In addition,\nsearched e-mails of 48 current and former SEC            the OIG took the testimony of the senior counsel\xe2\x80\x99s\nemployees who had some involvement in the rule-          supervisor and attempted to take the testimony of\nmaking process during the relevant time period. The      the senior counsel, who terminated the interview.\nOIG also took the sworn testimony of 42 current\nSEC employees.                                           The OIG inquiry found evidence that the regional\n                                                         office senior counsel violated the Standards of Ethi-\nThe OIG inquiry did not identify any source within       cal Conduct for Employees of the Executive Branch\nthe SEC who provided a copy of the draft document        by using official time and resources to support\nto the industry newspaper or any other entity or         various school fundraisers. The OIG also found\nperson outside the SEC or the coordinating agen-         that the amount of work time the senior counsel\ncies working on the rule. Additionally, the OIG was      spent on school fundraisers was excessive and may\nunable to identify any draft within the SEC files it     have diminished his work productivity. Further,\nreviewed that corresponded exactly to the version of     the OIG determined that among the companies the\nthe draft document published by the newspaper. As        senior counsel solicited for school fundraisers were\na result, on July 27, 2012, the OIG issued a memo-       publicly traded companies, which are \xe2\x80\x9cprohibited\nrandum report describing the results of its inquiry to   sources\xe2\x80\x9d for solicitation by SEC employees. The\nmanagement for informational purposes.                   OIG also found that the senior counsel improperly\n                                                         used his SEC title (in addition to his SEC e-mail\n                                                         account) in personal solicitations on behalf of the\nAllegations of Misuse of Official Time and               schools for which he was fundraising. Finally, the\nViolation of Time and Attendance Rules                   OIG substantiated the allegation that the employee\n(PI 12-16)                                               frequently arrived at work late, and also found that\nThe OIG conducted a preliminary inquiry into             the employee\xe2\x80\x99s supervisor was aware of this issue\nan anonymous complaint alleging that a regional          and had brought it to the senior counsel\xe2\x80\x99s attention.\noffice senior counsel regularly arrived for work late\nand also left the office during core business hours      As a result of the OIG\xe2\x80\x99s findings, the OIG issued a\nwithout taking leave for these absences. A subse-        memorandum report to management on August\nquent anonymous complaint alleged that this senior       2, 2012, and referred the matter for consideration\ncounsel was a board member of a local school             of administrative action against the employee. The\norganization and exhibited unethical behavior in         OIG also obtained a declination of criminal pros-\nthe workplace. During the inquiry, the OIG also          ecution in the matter, and administrative action by\nconsidered whether the senior counsel used official      management was pending at the end of the report-\ntime and SEC resources to improperly support fund-       ing period.\n\n\n\n\n34   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cReview of Legislation and Regulations\n\n\nD\n         uring the semiannual reporting period, the    policies were outdated and recommended that\n         OIG reviewed legislation and proposed and     the all of the agency\xe2\x80\x99s COOP policies and proce-\n         final rules and regulations relating to the   dures be revised and updated. Similarly, during its\nSEC\xe2\x80\x99s programs and operations, pursuant to Section     audit of the SEC\xe2\x80\x99s record management practices\n4(a)(2) of the Inspector General Act, as amended.      (Report No. 505, issued September 30, 2012), the\n                                                       OIG reviewed the SEC administrative regulations\nIn particular, the OIG reviewed the requirements       pertaining to records management and found that\nand history of Section 1504 of the Dodd-Frank          they had not been updated for several years, with\nAct, which mandated reporting of payments made         one regulation dating back to May 1991. The OIG\nto governments for the extraction of oil, natural      recommended that the Office of Support Opera-\ngas, and minerals by companies that must file          tions ensure that these regulations are revised.\ndisclosures with the SEC, as well as the status of\nthe SEC\xe2\x80\x99s related rulemaking. The OIG\xe2\x80\x99s review         During an investigation completed during the\nwas performed in response to a request from U.S.       reporting period into the misuse of resources and\nSenators Richard Lugar and Benjamin Cardin, the        violations of information technology security\nsponsors of the amendment that became Section          policies (Report No. OIG-557, issued August 30,\n1504, that the OIG evaluate the status of the SEC\xe2\x80\x99s    2012), the OIG reviewed the requirements of the\nimplementation of Section 1504.                        SEC\xe2\x80\x99s training and development policy in effect\n                                                       at the time of the conduct described in the OIG\xe2\x80\x99s\nThe OIG also reviewed statutes, rules, and regula-     report. In particular, the OIG reviewed the para-\ntions, and their impact on Commission programs         graph of the policy related to continued service\nand operations, within the context of reviews,         agreements for training and recommended clari-\naudits, and investigations conducted during the        fication of this policy. The former training and\nreporting period. For example, in the OIG\xe2\x80\x99s review     development policy has been superseded by a new\nof the SEC\xe2\x80\x99s COOP (Report No. 502, issued April        administrative regulation on continued service\n23, 2012), the OIG reviewed the SEC OIT poli-          agreements for education and training.\ncies and procedures relating to business continuity\nmanagement, business impact analysis, and disaster     Also during the reporting period, the OIG reviewed\nrecovery planning. The OIG determined that these       a draft administrative regulation on the manage-\n\n\n\n\n                                                       APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012              |   35\n\x0cment and administration of service contracts and       Finally, in coordination with the Legislation Com-\na related draft operating procedure and checklist.     mittee of the CIGIE and other OIGs, the SEC OIG\nThe OIG provided comments on the draft docu-           reviewed and tracked various legislation that would\nments based upon information acquired during           impact OIGs, including H.R. 4404, \xe2\x80\x9cSunshine on\nan investigation the OIG had conducted during          Government Act of 2012,\xe2\x80\x9d and S. 300, \xe2\x80\x9cGovern-\nthe previous semiannual reporting period into an       ment Charge Card Abuse Prevention Act.\xe2\x80\x9d\nallegation of an improper personal services contract\n(Report OIG-569, issued March 29, 2012).\n\n\n\n\n36   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cmanagement decisions\n\n\n STATUS OF RECOMMENDATIONS WITH NO MANAGEMENT DECISIONS\n Management decisions have been made on all audit reports issued before the beginning of this reporting\n period.\n\n\n\n REVISED MANAGEMENT DECISIONS\n No management decisions were revised during the period.\n\n\n\n AGREEMENT WITH SIGNIFICANT MANAGEMENT DECISIONS\n The Office of Inspector General agrees with all significant management decisions regarding audit\n recommendations.\n\n\n\n INSTANCES WHERE INFORMATION WAS REFUSED\n During this reporting period, there were no instances where information was refused.\n\n\n\n\n                                                     APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012               |   37\n\x0c\x0ctableS\n\nTable 1. List of Reports: Audit and Evaluations\n\n    Report Number \t                                    Title\tDate Issued\n    \t      502\tReview of the SEC\xe2\x80\x99s Continuity of Operations Program \t              4/23/12\n    \t      505\tSEC\xe2\x80\x99s Records Management Practices\t                                 9/30/12\n    \t 508\tThe Office of International Affairs Internal\n    \t\t     Operations and Travel Oversight\t                                        9/30/12\n\n\n\n\nTable 2. Reports Issued with Costs Questioned or Funds Put to Better Use\n(Including Disallowed Costs)\n\n\t\t\t\tNo. of Reports                                                                 \t   Value\nA. \tReports issued prior to this period\n\tFor which no management decision had been made on any\n  issue at the commencement of the reporting period\t                       0\t              $0\n\t       For which some decisions had been made on some issues at the\n        commencement of the reporting period\t                              0\t              $0\nB. \tReports issued during this period\t                                     0\t              $0\n    \t\t                                      Total of Categories A and B\t0\t                 $0\n\nC. \tFor which final management decisions were made during this period\t     0\t              $0\nD. \tFor which no management decisions were made during this period\t        0\t              $0\nE. \tFor which management decisions were made on some issues\n    during this period\t                                                    0\t              $0\n    \t\t                                      Total of Categories C, D, and E\t0\t             $0\n\n\n\n\n                                                        APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012   |    39\n\x0cTable 3. Reports with Recommendations on which Corrective Action has not been Completed\nRecommendations Open 180 days or more\n\n\tReport Number\tIssue Date\tSummary of Recommendations\n\t   and Title\n439\xe2\x80\x94Student Loan Program      3/27/2008    In consultation with the National Treasury Employees\n                                           Union, develop a detailed distribution plan.\n474\xe2\x80\x94Assessment of the         3/29/2010    Develop a communication plan to address outreach to\nSEC\xe2\x80\x99s Bounty Program                       both the public and SEC personnel regarding the SEC\n                                           bounty program, which includes efforts to make informa-\n                                           tion available on the SEC\xe2\x80\x99s intranet, enhance informa-\n                                           tion available on the SEC\xe2\x80\x99s public website, and provide\n                                           training to employees who are most likely to deal with\n                                           whistleblower cases.\n                                           Examine ways in which the Commission can increase\n                                           communications with whistleblowers by notifying them\n                                           of the status of their bounty requests without releasing\n                                           nonpublic or confidential information during the course of\n                                           an investigation or examination.\n                                           Require that a bounty file (hard copy or electronic) be cre-\n                                           ated for each bounty application, which should contain at\n                                           a minimum the bounty application, any correspondence\n                                           with the whistleblower, documentation of how the whistle-\n                                           blower\xe2\x80\x99s information was utilized, and documentation\n                                           regarding significant decisions made with regard to the\n                                           whistleblower\xe2\x80\x99s complaint.\n                                           Incorporate best practices from the Department of Justice\n                                           (DOJ) and the Internal Revenue Service (IRS) into the\n                                           SEC bounty program with respect to bounty applica-\n                                           tions, analysis of whistleblower information, tracking of\n                                           whistleblower complaints, recordkeeping practices, and\n                                           continual assessment of the whistleblower program.\n                                           Set a timeframe to finalize new policies and procedures\n                                           for the SEC bounty program that incorporate the best\n                                           practices from DOJ and IRS, as well as any legislative\n                                           changes to the program.\n480\xe2\x80\x94Review of the SEC\xe2\x80\x99s       9/27/2010    Update Form 13F to a more structured format, such as\nSection 13(f) Reporting                    Extensible Markup Language, to make it easier for users\nRequirements                               and researchers to extract and analyze Section 13(f)\n                                           data.\n482\xe2\x80\x94Oversight of and          6/29/2011    Develop processes, including written policies and\nCompliance with Conditions                 procedures, regarding reviewing for compliance with\nand Representations Related                conditions and representations in exemptive orders and\nto Exemptive Orders and                    no-action letters issued to regulated entities on a risk basis.\nNo-Action Letters\n\n\n\n\n40   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cTable 3. Reports with Recommendations, continued\nRecommendations Open 180 days or more\n\n\tReport Number\tIssue Date\tSummary of Recommendations\n\t   and Title\n                                           In plans for implementing Section 965 of the Dodd-Frank\n                                           Wall Street Reform and Consumer Protection Act, develop\n                                           procedures to coordinate examinations with those\n                                           conducted by the Office of Compliance Inspections and\n                                           Examinations and, as appropriate, include provisions for\n                                           reviewing for compliance with the conditions in exemptive\n                                           orders and representations made in no-action letters on a\n                                           risk basis.\n                                           In connection with monitoring efforts, include compliance\n                                           with the conditions and representations in significant\n                                           exemptive orders and/or no-action letters issued to regu-\n                                           lated entities as risk considerations.\n485\xe2\x80\x94Assessment of the        9/29/2010     Evaluate risk assessment processes for scoring risk to ensure\nSEC\xe2\x80\x99s Privacy Program                      that the Office of Information Technology adequately weighs\n                                           all appropriate factors, including the identification of risk\n                                           levels by vendors.\n                                           Implement an agency-wide policy regarding shared folder\n                                           structure and access rights, ensuring that only the employ-\n                                           ees involved with a particular case have access to that\n                                           data. If an employee backs up additional information to\n                                           the shared resources, only the employee and his or her\n                                           supervisor should have access.\n                                           Ensure personal storage tab (PST) files are saved to a\n                                           protected folder.\n489\xe2\x80\x942010 Annual FISMA        3/3/2011      Complete a logical access integration of the Homeland\nExecutive Summary Report                   Security Presidential Directive 12 card no later than\n                                           December 2011, as reported to the Office of Manage-\n                                           ment and Budget on December 31, 2010.\n491\xe2\x80\x94Review of Alternative    9/28/2011     In developing the new Human Capital Directive, work\nWork Arrangements,                         with the National Treasury Employees Union to deter-\nOvertime Compensation,                     mine whether additional alternative work schedules, such\nand COOP-Related                           as the gliding, variable day, variable week, three-day\nActivities at the SEC                      workweek, and Maxiflex options described in the Office\n                                           of Personnel Management Handbook on Alternative\n                                           Work Schedules, should be adopted as options for SEC\n                                           employees.\n\n\n\n\n                                                   APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                 |   41\n\x0cTable 3. Reports with Recommendations, continued\nRecommendations Open 180 days or more\n\n\tReport Number\tIssue Date\tSummary of Recommendations\n\t   and Title\n                                           Negotiate revisions to the language in the collective\n                                           bargaining agreement between the Commission and the\n                                           National Treasury Employees Union with respect to the\n                                           use of credit hours by employees working conforming\n                                           schedules, ensuring that the revised language conforms\n                                           with applicable law.\n                                           Perform server stress tests that incorporate a variety of\n                                           applications used with remote access.\n492\xe2\x80\x94Audit of SEC\xe2\x80\x99s           8/2/2011      Develop and implement a mechanism to reward employ-\nEmployee Recognition                       ees for superior or meritorious performance within their\nProgram and Recruitment,                   job responsibilities through lump-sum performance\nRelocation, and Retention                  awards.\nIncentives\n493\xe2\x80\x94OCIE Regional           3/30/2011      Continue efforts to establish a complete interface between\nOffices\xe2\x80\x99 Referrals to                      the Super Tracking and Review System or its equivalent,\nEnforcement                                the Hub, and the Tips, Complaints, and Referrals system.\n497\xe2\x80\x94Assessment of SEC\xe2\x80\x99s     8/11/2011      Ensure that security controls configurations that are\nContinuous Monitoring                      applied in the production environment are identical with\nProgram                                    those applied in the testing environment.\n                                           Develop and implement written procedures to ensure\n                                           consistency in the Commission\xe2\x80\x99s production and testing\n                                           environments. These procedures should detail the software\n                                           and hardware components in both environments and\n                                           specify the actions required to maintain consistent\n                                           environments.\n                                           Complete and finalize written server and storage log\n                                           management policies and procedures that fully document\n                                           the roles and responsibilities for log capture, manage-\n                                           ment, retention, and separation of duties.\n                                           Analyze the level of criticality of the Commission data and\n                                           the needs and wants of its customers, and establish an\n                                           appropriate backup retention period based on the results of\n                                           the analysis and that meets the requirements of the\n                                           Commission.\n                                           Ensure that tapes are handled appropriately.\n500\xe2\x80\x94Assessment of SEC\xe2\x80\x99s     3/16/2011      Identify capacity requirements for all servers, ensure suf-\nSystem and Network Logs                    ficient capacity is available for the storage of audit records,\n                                           configure auditing to reduce the likelihood that capacity\n                                           will be exceeded, and implement a mechanism to alert and\n                                           notify appropriate Commission office/divisions when log\n                                           storage capacity is reached.\n\n\n\n42   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cTable 3. Reports with Recommendations, continued\nRecommendations Open 180 days or more\n\n\tReport Number\tIssue Date\tSummary of Recommendations\n\t   and Title\n                                           Review and update all logging policies and procedures\n                                           consistent with the policy\xe2\x80\x99s review interval requirements and\n                                           retain evidence of its reviews and any updates to the policy.\n501\xe2\x80\x942011 Annual FISMA        2/2/2012      Develop and implement a detailed plan to review and\nExecutive Summary Report                   update OIT security policies and procedures and to create\n                                           OIT security policies and procedures for areas that lack\n                                           formal policy and procedures.\n                                           Develop a comprehensive risk management strategy in\n                                           accordance with National Institute of Standards and Tech-\n                                           nology\xe2\x80\x99s (NIST) Guide for Applying the Risk Management\n                                           Framework to Federal Information Systems: A Security Life\n                                           Cycle Approach, which will ensure that management of\n                                           system-related security risks is consistent with the Commis-\n                                           sion\xe2\x80\x99s mission/business objectives and overall risk strategy.\n                                           Update risk management policy to include language\n                                           regarding developing a comprehensive governance struc-\n                                           ture and ensure that management of system-related security\n                                           risks is consistent with the Commission\xe2\x80\x99s mission/business\n                                           objectives and overall risk strategy.\n                                           Develop and implement a formal risk management proce-\n                                           dure that identifies an acceptable process for evaluating\n                                           system risk consistent with the Commission\xe2\x80\x99s mission or busi-\n                                           ness objectives and overall risk strategy.\n                                           Develop and implement formal policy that addresses tailor-\n                                           ing baseline security controls sets.\n                                           Determine whether to perform the tailoring process at the\n                                           organization level for all information systems (either as the\n                                           required tailored baseline or as the starting point for system-\n                                           specific tailoring) at the individual information system level,\n                                           or by using a combination of organization-level and system-\n                                           specific approaches.\n                                           Tailor a baseline security controls set (with rationale) for\n                                           applicable systems in accordance with NIST\xe2\x80\x99s Guide for\n                                           Applying the Risk Management Framework to Federal\n                                           Information Systems: A Security Life Cycle Approach, and\n                                           NIST\xe2\x80\x99s Recommended Security Controls for Federal Informa-\n                                           tion Systems and Organizations.\n                                           Review and document the current standard baseline con-\n                                           figuration, including identification of approved deviations\n                                           and exceptions to the standard.\n\n\n\n\n                                                   APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                    |     43\n\x0cTable 3. Reports with Recommendations, continued\nRecommendations Open 180 days or more\n\n\tReport Number\tIssue Date\tSummary of Recommendations\n\t   and Title\n                                                        Conduct compliance scans of information technology\n                                                        devices, according to the organizationally defined frequen-\n                                                        cy in the policy and procedures, to ensure that all devices\n                                                        are configured as required by OIT\xe2\x80\x99s configuration manage-\n                                                        ment policy and procedures.\n                                                        Update policy and include language indicating that devia-\n                                                        tions from baseline configurations that are identified and\n                                                        documented as a result of the configuration compliance\n                                                        scans are properly remediated in a timely manner.\n                                                        Complete the implementation of the technical solution\n                                                        for linking multi-factor authentication to Personal Identity\n                                                        Verification cards for system authentication and require use\n                                                        of the cards as a second authentication factor by December\n                                                        2012.\n PI-09-05\xe2\x80\x94SEC Access Card            2/22/2010          Ensure, on a Commission-wide basis, that all regional\n Readers in Regional Offices                            offices are capable of capturing and recording building\n                                                        entry and exit information of Commission employees.\n ROI-505\xe2\x80\x94Failure to Timely           2/26/2010          Ensure as part of changes to complaint handling system that\n Investigate Allegations of                             databases used to refer complaints are updated to accu-\n Financial Fraud                                        rately reflect status of investigations and identity of staff.\n ROI-544\xe2\x80\x94Failure to Com-             1/20/2011          Take immediate measures to determine whether every OIT\n plete Background Investiga-                            employee and contractor has been properly cleared by a\n tion Clearance Before Giving                           background investigation and issued an official SEC badge.\n Access to SEC Buildings and\n Computer Systems\n ROI-551\xe2\x80\x94Allegations of              3/30/2011          Employ technology that will enable the agency to maintain\n Unauthorized Disclosures of                            records of phone calls made from and received by SEC\n Nonpublic Information                                  telephones.\n During SEC Investigations\n ROI-560\xe2\x80\x94Investigation of            9/16/2011          Reconsider position that net equity for Madoff customer\n Conflict of Interest Arising                           claims be calculated in constant dollars by conducting a\n from Former General Coun-                              re-vote, and advise the bankruptcy court of the results.\n sel\xe2\x80\x99s Participation in Madoff-\n Related Matters*\n\n*Shortly after the close of the semiannual reporting period, the Commission conducted a re-vote. The Commission is in the\nprocess of advising the bankruptcy court of the results of the re-vote.\n\n\n\n\n44   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cTable 4. Summary of Investigative Activity\n\n  Cases\tNumber\n  Cases Open as of 3/31/2012\t                                                        10\n  Cases Opened during 4/1/2012 - 9/30/2012\t                                           4\n  Cases Closed during 4/1/2012 - 9/30/2012\t                                           8\n  Total Open Cases as of 9/30/2012\t                                                   6\n  Referrals to Department of Justice for Prosecution\t                                 3\n  Prosecutions\t0\n  Convictions\t0\n  Referrals to OIG Office of Audits\t                                                  2\n  Referrals to Agency for Administrative Action\t                                      4\n\n\n  Preliminary Inquiries\tNumber\n  Inquiries Open as of 3/31/2012\t                                                    58\n  Inquiries Opened during 4/1/2012 - 9/30/2012\t                                      14\n  Inquiries Closed during 4/1/2012 - 9/30/2012\t                                      31\n  Total Open Inquiries as of 9/30/2012\t                                              41\n  Referrals to Department of Justice for Prosecution\t                                 1\n  Referrals to Agency for Administrative Action\t                                      1\n\n\n  Disciplinary Actions (including referrals made in prior periods)\tNumber\n  Removals (Including Resignations and Retirements)\t                                  5\n  Suspensions\t3\n  Reprimands\t0\n  Warnings/Other Actions\t                                                             3\n\n\n\n\n                                                        APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012   |   45\n\x0cTable 5. Summary of Complaint Activity\n\n     Complaints Received During the Period\tNumber\n     Complaints Pending Disposition at Beginning of Period\t         1\n     Hotline Complaints Received\t                                  172\n     Other Complaints Received\t                                    110\n     Total Complaints Received\t                                    282\n     Complaints on which a Decision was Made\t                      270\n     Complaints Awaiting Disposition at End of Period\t             13\n\n\n     Dispositions of Complaints During the Period\tNumber\n     Complaints Resulting in Investigations\t                        3\n     Complaints Resulting in Inquiries\t                            13\n     Complaints Referred to OIG Office of Audits\t                   1\n     Complaints Referred to Other Agency Components\t               153\n     Complaints Referred to Other Agencies\t                        10\n     Complaints Included in Ongoing Investigations or Inquiries\t    6\n     Response Sent/Additional Information Requested\t               44\n     No Action Needed\t                                             42\n\n\n\n\n46    |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cTable 6. References to Reporting Requirements of the Inspector General Act\nThe Inspector General Act of 1978, as amended, specifies reporting requirements for semiannual reports to\nCongress. The requirements are listed below and indexed to the applicable pages.\n\n  Section\tInspector General Act Reporting Requirement\tPages\n  4(a)(2)\tReview of Legislation and Regulations\t                                                 35\xe2\x80\x9336\n  5(a)(1)\tSignificant Problems, Abuses, and Deficiencies\t                         9\xe2\x80\x9312; 18\xe2\x80\x9323; 28\xe2\x80\x9334\n  5(a)(2)\tRecommendations for Corrective Action\t                                         18\xe2\x80\x9323; 28\xe2\x80\x9334\n  5(a)(3)\tPrior Recommendations Not Yet Implemented\t                                             40\xe2\x80\x9344\n  5(a)(4)\t     Matters Referred to Prosecutive Authorities\t                                          45\n  5(a)(5)\tSummary of Instances Where Information Was Unreasonably\n  \t\tRefused or Not Provided\t                                                                         37\n  5(a)(6)\tList of OIG Audit and Evaluation Reports Issued During the Period\t                         39\n  5(a)(7)\tSummary of Significant Reports Issued During the Period\t                       18\xe2\x80\x9323; 28\xe2\x80\x9334\n  5(a)(8)\tStatistical Table on Management Decisions with Respect to\n  \t\tQuestioned Costs\t                                                                                39\n  5(a)(9)\tStatistical Table on Management Decisions on\n  \t\tRecommendations That Funds Be Put to Better Use\t                                                 39\n  5(a)(10)\tSummary of Each Audit, Inspection or Evaluation Report Over\n  \t\tSix Months Old for Which No Management Decision has been Made\t                                   37\n  5(a)(11)\tSignificant Revised Management Decisions\t                                                 37\n  5(a)(12)\tSignificant Management Decisions with Which the Inspector \t\n  \t\t           General Disagreed\t                                                                    37\n  5(a)(14)\tAppendix of Peer Reviews Conducted by Another OIG\t                                        49\n\n\n\n\n                                                        APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012              |     47\n\x0c\x0cappendix A. Peer Reviews of OIG Operations\n\n\nPEER REVIEW OF THE SEC OIG\xe2\x80\x99S                             PEER REVIEW OF THE SEC OIG\xe2\x80\x99S\nAUDIT OPERATIONS                                         INVESTIGATIVE OPERATIONS\nIn accordance with the CIGIE quality control and         During the semiannual reporting period, the SEC\nassurance standards, an OIG\xe2\x80\x99s audit functions are        OIG did not have an external peer review of its\nassessed by an external OIG audit team approxi-          investigative operations. Peer reviews of Designated\nmately every three years. The Legal Services Corpo-      Federal Entity OIGs, such as the SEC OIG, are\nration (LSC) OIG conducted an assessment of the          conducted on a voluntary basis. The most recent\nOffice of Audit\xe2\x80\x99s system of quality control for the      peer review of the SEC OIG\xe2\x80\x99s investigative opera-\nperiod ending March 31, 2012. The review focused         tions was conducted by the U.S. Equal Employment\non whether the SEC OIG established and complied          Opportunity Commission (EEOC) OIG. The EEOC\nwith a system of quality control that is suitably        OIG issued its report on the SEC OIG\xe2\x80\x99s investigative\ndesigned to provide the OIG with a reasonable            operations in July 2007. This report concluded that\nassurance of conforming with applicable profes-          the SEC OIG\xe2\x80\x99s system of quality for the investigative\nsional standards.                                        function conformed to the professional standards\n                                                         established by the President\xe2\x80\x99s Council on Integrity\nOn August 23, 2012, LSC OIG issued its report,           and Efficiency and the Executive Council on Integ-\nconcluding that the SEC OIG complied with the            rity and Efficiency (now CIGIE).\nsystem of quality control and that it was suitably\ndesigned to provide the SEC OIG with reasonable          The OIG plans to submit a request to CIGIE\xe2\x80\x99s Inves-\nassurance of performing and reporting in conformi-       tigations Committee for an investigative operations\nty with applicable government auditing standards in      peer review during fiscal year 2013.\nall material respects. Federal audit organizations can\nreceive a rating of \xe2\x80\x9cpass,\xe2\x80\x9d \xe2\x80\x9cpass with deficiencies,\xe2\x80\x9d\nor \xe2\x80\x9cfail.\xe2\x80\x9d  The SEC OIG received a \xe2\x80\x9cpass\xe2\x80\x9d rating,\nand no recommendations were made. Further, there\nare no outstanding recommendations from previous\npeer reviews of our audit organization.\n\nA copy of the peer review report was provided to\nthe SEC Chairman and Commissioners. The peer\nreview report is located on OIG\xe2\x80\x99s website at:\nwww.sec-oig.gov/Reports/Semiannual/2012/\nOIG_SAR_Spring2012.pdf\n\n\n\n\n                                                         APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012               |   49\n\x0cappendix B. Annual Report on the OIG SEC Employee\nSuggestion Hotline\xe2\x80\x94Issued Pursuant to Section 966 of the\nDodd-Frank Act\n\n\nINTRODUCTION AND BACKGROUND                            The program operates pursuant to formal policies\nThe OIG established the OIG SEC Employee Sug-          and procedures, which were adopted on March 30,\ngestion Program in accordance with Section 966 of      2011, and encompass both the receipt and handling\nthe Dodd-Frank Wall Street Reform and Consumer         of employee suggestions and allegations, as well\nProtection Act (Dodd-Frank Act). Under Section         as recognition of employees whose suggestions or\n966 of the Dodd-Frank Act, the Securities Exchange     disclosures to the OIG may result or have resulted\nAct of 1934 (15 U.S.C. \xc2\xa7 78a et seq.) (Exchange        in cost savings to or efficiencies within the Com-\nAct) was amended to include a new Section 4D (15       mission. The OIG held the first OIG SEC Employee\nU.S.C. \xc2\xa7 78d-4), which required the Inspector Gen-     Suggestion Program awards ceremony in December\neral to establish a suggestion program for employees   2011, during which several SEC employees who had\nof the Commission. The OIG established its Employ-     made suggestions resulting in agency cost savings\nee Suggestion Program on September 27, 2010.           were honored.\n\nIn accordance with Section 4D(d) of the Exchange\nAct, SEC OIG has prepared this second annual           SUMMARY OF EMPLOYEE SUGGESTIONS\nreport containing a description of suggestions and     AND ALLEGATIONS RECEIVED\nallegations received, recommendations made or          Between October 1, 2011 and September 30, 2012,\naction taken by the OIG, and action taken by the       the OIG received and analyzed 53 suggestions or\nCommission in response to suggestions or allega-       allegations. Set forth below are details regarding:\ntions from October 1, 2011, through September 30,\n2012.                                                  (1)\t The nature, number, and potential benefits of\n                                                            any suggestions received.\nThrough this program, the OIG receives suggestions     (2)\t The nature, number, and seriousness of any\nfrom Commission employees for improvements                  allegations received.\nin work efficiency, effectiveness, productivity, and   (3)\t Any recommendations made or actions taken\nthe use of the resources of the Commission, as well         by the OIG in response to substantiated allega-\nas allegations by employees of the Commission of            tions received.\nwaste, abuse, misconduct, or mismanagement within      (4)\t Any action taken by the Commission in\nthe Commission. The OIG receives suggestions or             response to suggestions or allegations received.\nallegations under this program through an e-mail\nmailbox and telephone hotline established to facili-\ntate the making of suggestions or allegations.\n\n\n\n\n50   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0c  Nature and Potential Benefits of Suggestions\tNumber\n  Increase efficiency or productivity \t                                                                              12\n  Increase effectiveness \t                                                                                           15\n  Increase the use of resources or decrease costs \t                                                                  14\n\n\n  Nature and Seriousness of Allegations1\tNumber\n  Mismanagement and/or discrimination \t                                                                                2\n  Waste of Commission resources\t                                                                                       7\n  Misconduct by an employee\t                                                                                           3\n\n\n  Nature and Potential Benefits of Suggestions\t                                                                    Number\n  Memorandum to or communication with the Commission requesting action be taken\t                                     14\n  Referred to OIG Office of Investigations \t                                                                           3\n  Referred to OIG Office of Audits\t                                                                                    1\n  OIG Office of Investigations opened preliminary inquiry\t                                                             2\n  Researched issue, but no further action by the Commission was necessary \t                                          22\n\n\n  Action Taken by the Commission2 \tNumber\n  SEC management took specific action to address the suggestion\t                                                       4\n  The Commission decided to secure new technology in response to the suggestion\t                                       1\n  SEC management is considering suggestion in context of existing procedures\t                                          2\n  1Suggestions and/or allegations may fall into more than one category and, as such, the numbers below may be greater than\n  the total number of suggestions/allegations received.\n  2 This table represents the Commission\xe2\x80\x99s response to suggestions and allegations that were referred to the Commission for\n  consideration and for which a response was received during the reporting period.\n\n\n\n\nEXAMPLES OF SUGGESTIONS RECEIVED                                    online refund request form or process be developed\n                                                                    to make the refund process more efficient for filers\nEDGAR Electronic Refund Requests                                    and SEC staff who process the refunds.\nThe OIG received a suggestion from an employee\nregarding fee-bearing filings made through the                      After reviewing and analyzing the suggestion\nSEC\xe2\x80\x99s Electronic Data Gathering, Analysis, and                      received, the OIG forwarded it to the Office of\nRetrieval (EDGAR) system and the process by                         Financial Management, which concurred with the\nwhich EDGAR users request refunds of excess filing                  suggestion. In July 2012, the EDGAR system was\nfees paid. At the time the suggestion was received,                 upgraded to support the electronic submission of\nusers were required to submit refund requests by                    requests for refunds of excess fees paid. In August\nmail or facsimile. The employee suggested that an                   2012, the SEC adopted revisions to the EDGAR\n\n\n\n\n                                                                   APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                           |   51\n\x0cFiler Manual to reflect the updates made to the         employees. The employee making the suggestions\nEDGAR system.                                           further stated that the creation of an expertise data-\n                                                        base to catalogue information regarding employees\xe2\x80\x99\nHard Copy CCHs                                          previous work experience would allow colleagues\nAn employee suggested that cost savings could be        to become more familiar with other employees\nachieved if the Commission decreased its number         throughout the Commission and facilitate knowl-\nof subscriptions to hard copy Commerce Clearing         edge sharing and organizational understanding.\nHouse (CCH) securities law books and their cor-\nresponding regular hard copy updates and instead        The Division of Enforcement maintains a facebook\nencouraged the use of CCH\xe2\x80\x99s online service, CCH         and directory that includes certain staff informa-\nIntelliConnect. The Commission pays an annual fee       tion, such as photograph, phone number, e-mail\nper hard copy of the CCH securities law volumes,        address, office location, position, and start date.\nbut pays a regular annual subscription fee for the      We discussed the suggestions we received with a\nonline version that is not dependent on the number      representative of the SEC\xe2\x80\x99s SharePoint Executive\nof users. Currently, the Commission spends over         Steering Committee, who stated that the SEC is\n$300,000 per year for hard copy subscriptions.          currently considering expanding the facebook/\n                                                        directory feature to other offices and divisions.\nThe OIG determined that, while the Commission           Further, according to the Steering Committee repre-\nhas taken certain initiatives to decrease the number    sentative, the Committee believes that the inclusion\nof hard copy CCH purchases, additional steps could      of an expertise database could improve efficiency\nbe taken to reduce the costs associated with hard       and effectiveness by facilitating knowledge sharing\ncopy CCHs. The OIG forwarded the suggestion             and there is wide support throughout the Commis-\nto the SEC\xe2\x80\x99s Branch of Library Services and sug-        sion for such a feature. The representative added\ngested that it consider taking steps to ensure that     that the Committee was already in the process of\nadditional information regarding the availability of    considering and/or taking steps to implement this\nthis resource online be communicated to the staff       suggestion.\non a regular basis. The OIG also recommended that\nthe Branch of Library Services provide information      Paper and Supply Waste\nto staff regarding the price discrepancy between        The OIG received several suggestions relating to\nthe hard copy and online CCH versions, and offer        paper and supply waste and ways in which such\ntraining on the online resource to encourage more       waste could be decreased or eliminated. One of\nemployees to use it. As of September 30, 2012, SEC      these suggestions related to the use of specialized\nmanagement was still considering its response to        \xe2\x80\x9cTech Wipes,\xe2\x80\x9d which are specifically designed to\nthis suggestion.                                        be used for aerospace, electronics, and laboratories,\n                                                        but, according to the employee, are instead used\nEmployee Directories                                    by many employees as paper towels. The OIG\nThe OIG received suggestions concerning the             forwarded this suggestion to the SEC\xe2\x80\x99s Facilities\ncreation of an agency-wide employee directory           Branch, which stated that these wipes were pur-\nor organizational chart that would include staff        chased for and had specific uses, but agreed to limit\nphotos, titles, and other relevant information which,   the distribution, thereby decreasing their unneces-\naccording to the employee, would facilitate organi-     sary or unintended use.\nzational understanding for both new and long-term\n\n\n\n\n52   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0cAnother suggestion we received related to the print-    the federal government to its employees and federal\ning of certificates through the Commission\xe2\x80\x99s Lead,      contractors. According to the Office of Security\nLearn, and Perform (LEAP) training management           Services, the Commission\xe2\x80\x99s previous security services\nsystem. According to this suggestion, the course        were outdated and were not in compliance with\ncompletion certificates printed through LEAP were       HSPD-12, and the new systems were cost-effective\nformatted to use three sheets of paper, with the        and went through a substantial review process\nthird page being blank. The employee suggested          before implementation. The OIG determined that\nthat the certificate be reformatted to use only one     there appeared to be adequate justification for the\nsheet of paper and, therefore, decrease waste. The      replacement and/or upgrade of security services on\nOIG contacted the Office of Human Resources,            an agency-wide basis.\nwhich indicated that it recognized the issue and then\nworked with the software vendor to eliminate the        Referrals to the Office of Investigations\nunnecessary pages for printed certificates.             The OIG received four allegations that resulted in\n                                                        referrals to the OIG\xe2\x80\x99s Office of Investigations. Alle-\n                                                        gations related to retaliation against an employee,\nEXAMPLES OF ALLEGATIONS RECEIVED                        as well as mismanagement and discrimination by\n                                                        a supervisor, were referred for inclusion in ongo-\nReplacement of Physical Security                        ing preliminary inquiries. In addition, the Office of\nSystems in Regional Offices                             Investigations opened preliminary inquiries based\nThe OIG received an allegation regarding the Com-       on the receipt of an allegation of potential miscon-\nmission\xe2\x80\x99s replacement of physical security systems      duct by contractors and allegations of mismanage-\nin the regional offices. Specifically, the employee     ment, preferential treatment of contractors, and\nalleged that the decision to replace card readers and   theft.\ncameras in the regional offices was based on the\nfact that there were issues with such readers and\ncameras in SEC headquarters in Washington, D.C.         CONCLUSION\nAccording to the employee, the replacements in the      The OIG is pleased with the Employee Sugges-\nregional offices were unnecessary and a waste of        tion Program effectiveness. We received favorable\nCommission resources.                                   responses from the SEC on several suggestions\n                                                        we submitted to them for consideration. Many\nThe OIG discussed this allegation with the SEC\xe2\x80\x99s        suggestions resulted in positive changes that will\nOffice of Security Services and learned that Com-       improve SEC employee\xe2\x80\x99s efficiency and effectiveness\nmission-wide changes to \xe2\x80\x9caccess control systems,\xe2\x80\x9d       and increase the use of SEC\xe2\x80\x99s resources, as well as\nwhich included video cameras, alarm systems, and        decrease waste.\ncard readers, were required to improve security and\nbecome compliant with Homeland Security Presi-          The OIG anticipates additional favorable responses\ndential Directive 12 (HSPD-12). HSPD-12 provides        to suggestions that the SEC is currently reviewing.\nfor a mandatory, government-wide standard for           We continue to encourage SEC employees to submit\nsecure and reliable forms of identification issued by   suggestions to OIG.\n\n\n\n\n                                                        APRIL 1, 2012\xe2\x80\x93SEPTEMBER 3O, 2012                 |   53\n\x0cOIG CONTACT INFORMATION\n\n\nHelp ensure the integrity of SEC operations. Report to the OIG suspected fraud, waste or abuse in SEC pro-\ngrams or operations as well as SEC staff or contractor misconduct. Contact the OIG by:\n\nphone \t\t         Hotline \t\t       877.442.0854\n\t\t               Main Office \t    202.551.6061\n\nweb-based\t       www.sec-oig.gov/ooi/hotline.html\nhotline \t\n\n\nfax \t\t           202.772.9265\n\nmail \t\t          Office of Inspector General\n\t\t               U.S. Securities and Exchange Commission\n\t\t               100 F Street, NE Washington, DC 20549\n\nemail \t\t         oig@sec.gov\n\n\n\nInformation received is held in confidence upon request. While the OIG encourages complaints to provide\ninformation on how they may be contacted for additional information, anonymous compaints are also\naccepted.\n\n\n\n\n54   |   OIG SEMIANNUAL REPORT TO CONGRESS\n\x0c\x0c'